Analysis
-
max time kernel
100s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-01-2023 21:05
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
1.0MB
-
MD5
2a2b9b0930e3d96f9e97266d09578ae8
-
SHA1
22bfab8b38cdae66c875177d7c892c1d364f4411
-
SHA256
f92f1e572619dfa04356daf942f6d86295a4f02ade18b4826077cb3a3c1d95a1
-
SHA512
a9abc90646544dc0f2f76d1641518f0a611e990bbfa72a9af28f0b9f48c986edea42ce5d65ccb3e67658d5d6aba762e8135fd6251a8db244379ca81ae0717f1f
-
SSDEEP
24576:Y4/fET1abjXthYpsn0Ji0ttp8/IBp0cKD/WAXwDo2qyIN94j:YAmqh+W0JiWWGiDWAXb/yINy
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1748-132-0x0000000000400000-0x00000000006B9000-memory.dmp upx behavioral2/memory/1748-135-0x0000000000400000-0x00000000006B9000-memory.dmp upx behavioral2/memory/1748-136-0x0000000000400000-0x00000000006B9000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3340 WMIC.exe Token: SeSecurityPrivilege 3340 WMIC.exe Token: SeTakeOwnershipPrivilege 3340 WMIC.exe Token: SeLoadDriverPrivilege 3340 WMIC.exe Token: SeSystemProfilePrivilege 3340 WMIC.exe Token: SeSystemtimePrivilege 3340 WMIC.exe Token: SeProfSingleProcessPrivilege 3340 WMIC.exe Token: SeIncBasePriorityPrivilege 3340 WMIC.exe Token: SeCreatePagefilePrivilege 3340 WMIC.exe Token: SeBackupPrivilege 3340 WMIC.exe Token: SeRestorePrivilege 3340 WMIC.exe Token: SeShutdownPrivilege 3340 WMIC.exe Token: SeDebugPrivilege 3340 WMIC.exe Token: SeSystemEnvironmentPrivilege 3340 WMIC.exe Token: SeRemoteShutdownPrivilege 3340 WMIC.exe Token: SeUndockPrivilege 3340 WMIC.exe Token: SeManageVolumePrivilege 3340 WMIC.exe Token: 33 3340 WMIC.exe Token: 34 3340 WMIC.exe Token: 35 3340 WMIC.exe Token: 36 3340 WMIC.exe Token: SeIncreaseQuotaPrivilege 3340 WMIC.exe Token: SeSecurityPrivilege 3340 WMIC.exe Token: SeTakeOwnershipPrivilege 3340 WMIC.exe Token: SeLoadDriverPrivilege 3340 WMIC.exe Token: SeSystemProfilePrivilege 3340 WMIC.exe Token: SeSystemtimePrivilege 3340 WMIC.exe Token: SeProfSingleProcessPrivilege 3340 WMIC.exe Token: SeIncBasePriorityPrivilege 3340 WMIC.exe Token: SeCreatePagefilePrivilege 3340 WMIC.exe Token: SeBackupPrivilege 3340 WMIC.exe Token: SeRestorePrivilege 3340 WMIC.exe Token: SeShutdownPrivilege 3340 WMIC.exe Token: SeDebugPrivilege 3340 WMIC.exe Token: SeSystemEnvironmentPrivilege 3340 WMIC.exe Token: SeRemoteShutdownPrivilege 3340 WMIC.exe Token: SeUndockPrivilege 3340 WMIC.exe Token: SeManageVolumePrivilege 3340 WMIC.exe Token: 33 3340 WMIC.exe Token: 34 3340 WMIC.exe Token: 35 3340 WMIC.exe Token: 36 3340 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1748 wrote to memory of 3180 1748 tmp.exe 81 PID 1748 wrote to memory of 3180 1748 tmp.exe 81 PID 3180 wrote to memory of 3340 3180 cmd.exe 83 PID 3180 wrote to memory of 3340 3180 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-