47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c

Analysis

max time kernel
71s
max time network
180s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
09/01/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
Size

56KB
MD5

965bf096255e1f065972f5a9bb605e61
SHA1

1829a32fe5a01ef0d00e4ab88dd0911e03270e94
SHA256

47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c
SHA512

d16fe235e6cac70c77a94221151c35f359e098c92c16595122e7c9c574cb76e18b6ff521cd8d91860e1fb34216c9340ccf22c4a85a32189d89c8f6eb5303a969
SSDEEP

768:19Y5UBOOlyKkq/JyWSmNdGXyeb1IUOsYUQ4W8vc:wpOlNNEWNACeb1hO3X4W80

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3068	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 804	3068	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe	68
PID 3068 wrote to memory of 804	3068	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe	68
PID 3068 wrote to memory of 804	3068	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe	68
PID 804 wrote to memory of 1732	804	cmd.exe	70
PID 804 wrote to memory of 1732	804	cmd.exe	70
PID 804 wrote to memory of 1732	804	cmd.exe	70
PID 804 wrote to memory of 4800	804	cmd.exe	71
PID 804 wrote to memory of 4800	804	cmd.exe	71
PID 804 wrote to memory of 4800	804	cmd.exe	71
PID 804 wrote to memory of 1688	804	cmd.exe	72
PID 804 wrote to memory of 1688	804	cmd.exe	72
PID 804 wrote to memory of 1688	804	cmd.exe	72
PID 804 wrote to memory of 3872	804	cmd.exe	73
PID 804 wrote to memory of 3872	804	cmd.exe	73
PID 804 wrote to memory of 3872	804	cmd.exe	73

C:\Users\Admin\AppData\Local\Temp\47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
"C:\Users\Admin\AppData\Local\Temp\47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ce1196b4a91a8c76d804f583c1ba59e0

SHA1
9ed068dda15b900da2ef6f1349e984544fd8ac99

SHA256
b4677404f9faaa1679823c8859205a6345341ab16c2ac207b77b8e2c53b787ca

SHA512
7fff8fa1f3a45cc1bc192173bac6892da3497af051d1e06c96b515f7a4c3e330fdb39d2bda158674c271c0492874317b2734ef53ee0f6724978fd5f693ce5df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
da6e47abf0bbc0fc93aee860cbe67261

SHA1
d8a27f302b85775a9121b16380ad4ba7c1c691af

SHA256
97d34c3746f8251735f3e84f9dea581c6629620e2f7a6d1da56e4d13efdcd2c7

SHA512
00479bbd77f34216fc3375baed78938aebb17b8680843e6195207a5165e0982ea61161405ebd6976361fce5b512424474b6d17960f317f8b98392d842d77505a

Download Submit
memory/3068-166-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-126-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-128-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-129-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-130-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-131-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-133-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-132-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-134-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-170-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-136-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-137-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-138-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-139-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-140-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-141-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-142-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-143-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-144-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-145-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-146-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-147-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-168-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-149-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-150-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-151-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-152-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-153-0x0000000000E10000-0x0000000000E24000-memory.dmp

Filesize
80KB

Download
memory/3068-154-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-155-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-156-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-157-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-158-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-159-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-160-0x00000000030D0000-0x00000000030D6000-memory.dmp

Filesize
24KB

Download
memory/3068-161-0x000000000A0A0000-0x000000000A59E000-memory.dmp

Filesize
5.0MB

Download
memory/3068-162-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-163-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/3068-164-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-165-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-120-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-167-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-148-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-127-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-135-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-171-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-172-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-173-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-174-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-175-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-176-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-177-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-178-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-179-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/3068-180-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-181-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-182-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-183-0x00000000065D0000-0x0000000006636000-memory.dmp

Filesize
408KB

Download
memory/3068-184-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-185-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-186-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-187-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-188-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-189-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-169-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-125-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-121-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-122-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-123-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3068-124-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/4800-327-0x00000000094D0000-0x0000000009564000-memory.dmp

Filesize
592KB

Download
memory/4800-265-0x0000000007680000-0x00000000076A2000-memory.dmp

Filesize
136KB

Download
memory/4800-272-0x0000000008370000-0x00000000083BB000-memory.dmp

Filesize
300KB

Download
memory/4800-276-0x00000000080E0000-0x0000000008156000-memory.dmp

Filesize
472KB

Download
memory/4800-313-0x0000000008FD0000-0x0000000009003000-memory.dmp

Filesize
204KB

Download
memory/4800-314-0x0000000008FB0000-0x0000000008FCE000-memory.dmp

Filesize
120KB

Download
memory/4800-271-0x0000000007800000-0x000000000781C000-memory.dmp

Filesize
112KB

Download
memory/4800-323-0x0000000009020000-0x00000000090C5000-memory.dmp

Filesize
660KB

Download
memory/4800-267-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/4800-535-0x0000000009460000-0x0000000009468000-memory.dmp

Filesize
32KB

Download
memory/4800-530-0x0000000009470000-0x000000000948A000-memory.dmp

Filesize
104KB

Download
memory/4800-247-0x0000000006FD0000-0x00000000075F8000-memory.dmp

Filesize
6.2MB

Download
memory/4800-242-0x0000000006930000-0x0000000006966000-memory.dmp

Filesize
216KB

Download
memory/4800-268-0x0000000007B60000-0x0000000007EB0000-memory.dmp

Filesize
3.3MB

Download