47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c

Analysis

max time kernel
68s
max time network
180s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
10-01-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
Size

56KB
MD5

965bf096255e1f065972f5a9bb605e61
SHA1

1829a32fe5a01ef0d00e4ab88dd0911e03270e94
SHA256

47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c
SHA512

d16fe235e6cac70c77a94221151c35f359e098c92c16595122e7c9c574cb76e18b6ff521cd8d91860e1fb34216c9340ccf22c4a85a32189d89c8f6eb5303a969
SSDEEP

768:19Y5UBOOlyKkq/JyWSmNdGXyeb1IUOsYUQ4W8vc:wpOlNNEWNACeb1hO3X4W80

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4248	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
3484	powershell.exe
3484	powershell.exe
3484	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3688	4248	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe	68
PID 4248 wrote to memory of 3688	4248	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe	68
PID 4248 wrote to memory of 3688	4248	47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe	68
PID 3688 wrote to memory of 1004	3688	cmd.exe	70
PID 3688 wrote to memory of 1004	3688	cmd.exe	70
PID 3688 wrote to memory of 1004	3688	cmd.exe	70
PID 3688 wrote to memory of 4052	3688	cmd.exe	71
PID 3688 wrote to memory of 4052	3688	cmd.exe	71
PID 3688 wrote to memory of 4052	3688	cmd.exe	71
PID 3688 wrote to memory of 3484	3688	cmd.exe	72
PID 3688 wrote to memory of 3484	3688	cmd.exe	72
PID 3688 wrote to memory of 3484	3688	cmd.exe	72
PID 3688 wrote to memory of 5004	3688	cmd.exe	73
PID 3688 wrote to memory of 5004	3688	cmd.exe	73
PID 3688 wrote to memory of 5004	3688	cmd.exe	73

C:\Users\Admin\AppData\Local\Temp\47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe
"C:\Users\Admin\AppData\Local\Temp\47ba87558262eb9ea460b7e3a7938f51ca58b3d61fe01f97313e02de3965498c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7d8292ee6a63f2451118e425e2721cc9

SHA1
26aac98f91863c9c1277442d00853770e2043ee0

SHA256
45e0fb46139c2397a767a4031f392b576c274d5c1300ce4651b7562ec810f9f7

SHA512
89dfffebac66d4f57b9c6c99aa56b3141d843214037bbff631e4a1532b9718dc2c79f610e44d8d6fb29fba286850276d3d05658c5cda9ff1f5228f38621417a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6efbba6879bfa4cbbc191064d5240c30

SHA1
f9ad80ab83892404b47ecaeddaae1c5b69c33ee5

SHA256
f0ecbd682f2c39d37b2717a36346dbb76ffad6b91c841e714b4820ab3b031179

SHA512
79d492f31fa24e5987f14a7a4728acee1ba111ddf4d10b2ecd2d818950b8c6cf45aa6dfcf26735c7f24c7f770f558034f8af2d0714c64ba01748bb19ae3094c1

Download Submit
memory/1004-197-0x0000000000000000-mapping.dmp

Download
memory/3484-552-0x0000000000000000-mapping.dmp

Download
memory/3688-191-0x0000000000000000-mapping.dmp

Download
memory/4052-305-0x0000000009380000-0x00000000093B3000-memory.dmp

Filesize
204KB

Download
memory/4052-270-0x0000000007A10000-0x0000000007A2C000-memory.dmp

Filesize
112KB

Download
memory/4052-318-0x00000000093C0000-0x0000000009465000-memory.dmp

Filesize
660KB

Download
memory/4052-306-0x0000000009360000-0x000000000937E000-memory.dmp

Filesize
120KB

Download
memory/4052-529-0x0000000009610000-0x000000000962A000-memory.dmp

Filesize
104KB

Download
memory/4052-275-0x00000000082D0000-0x0000000008346000-memory.dmp

Filesize
472KB

Download
memory/4052-271-0x0000000007FE0000-0x000000000802B000-memory.dmp

Filesize
300KB

Download
memory/4052-326-0x0000000009660000-0x00000000096F4000-memory.dmp

Filesize
592KB

Download
memory/4052-267-0x0000000007BD0000-0x0000000007F20000-memory.dmp

Filesize
3.3MB

Download
memory/4052-266-0x0000000007280000-0x00000000072E6000-memory.dmp

Filesize
408KB

Download
memory/4052-264-0x00000000071E0000-0x0000000007202000-memory.dmp

Filesize
136KB

Download
memory/4052-246-0x00000000073C0000-0x00000000079E8000-memory.dmp

Filesize
6.2MB

Download
memory/4052-241-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

Filesize
216KB

Download
memory/4052-205-0x0000000000000000-mapping.dmp

Download
memory/4052-534-0x0000000009600000-0x0000000009608000-memory.dmp

Filesize
32KB

Download
memory/4248-165-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-175-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-142-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-143-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-144-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-145-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-146-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-147-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-148-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-149-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-150-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-151-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-152-0x0000000000F20000-0x0000000000F34000-memory.dmp

Filesize
80KB

Download
memory/4248-153-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-154-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-155-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-156-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-157-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-158-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-159-0x00000000031E0000-0x00000000031E6000-memory.dmp

Filesize
24KB

Download
memory/4248-160-0x000000000A1A0000-0x000000000A69E000-memory.dmp

Filesize
5.0MB

Download
memory/4248-161-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-162-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/4248-163-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-164-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-119-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-166-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-167-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-168-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-169-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-170-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-171-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-172-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-173-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-174-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-141-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-176-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-177-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-178-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/4248-179-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-180-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-181-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-182-0x00000000066D0000-0x0000000006736000-memory.dmp

Filesize
408KB

Download
memory/4248-183-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-184-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-185-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-186-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-187-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-188-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-140-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-139-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-138-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-137-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-136-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-135-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-134-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-133-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-128-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-132-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-131-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-130-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-129-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-127-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-126-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-125-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-124-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-123-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-122-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-121-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-120-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-863-0x0000000000000000-mapping.dmp

Download