3c8a67035e42a05e08fefe63aac29f23c3fc2d7e9855341db6483bd1ef174775

Analysis

max time kernel
145s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 07:25

Target

FileSetup.exe
Size

550.0MB
MD5

e8944a545afce26bb383e952d020e238
SHA1

21f74bab0bfde406343fac29489ad5fa30800d00
SHA256

eea3da85140c7a5143ee8ad3e2ecad8f763ba9adf547cee660fdcec0fb8afb02
SHA512

32d9d51af14ee5f610616d1158f7172885426fb43a21ab89c7e3ad83b3adaedb1815ab3e9455b5e005d681f2345c03b8874de2955689df2845440fcbe3fb28b9
SSDEEP

6144:BsRRdypT+O8R9wReW0EQ3E0erWbxuHTFUrtkEWU9qXqxVooHaTjD9HT77/h13Dvj:mRcbEE0ecWY/0acBjdf/h5vzlt

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	4920	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4920	powershell.exe
4920	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 4920	516	FileSetup.exe	81
PID 516 wrote to memory of 4920	516	FileSetup.exe	81
PID 516 wrote to memory of 4920	516	FileSetup.exe	81

C:\Users\Admin\AppData\Local\Temp\FileSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FileSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4920

memory/516-132-0x00000000008F0000-0x0000000000976000-memory.dmp

Filesize
536KB

Download
memory/516-133-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/516-134-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/516-135-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/4920-137-0x0000000002190000-0x00000000021C6000-memory.dmp

Filesize
216KB

Download
memory/4920-138-0x0000000004C80000-0x00000000052A8000-memory.dmp

Filesize
6.2MB

Download
memory/4920-139-0x0000000004AC0000-0x0000000004AE2000-memory.dmp

Filesize
136KB

Download
memory/4920-140-0x0000000004B60000-0x0000000004BC6000-memory.dmp

Filesize
408KB

Download
memory/4920-141-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4920-142-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/4920-143-0x0000000006020000-0x0000000006064000-memory.dmp

Filesize
272KB

Download
memory/4920-144-0x0000000006B90000-0x0000000006C06000-memory.dmp

Filesize
472KB

Download
memory/4920-145-0x0000000007290000-0x000000000790A000-memory.dmp

Filesize
6.5MB

Download
memory/4920-146-0x0000000006C30000-0x0000000006C4A000-memory.dmp

Filesize
104KB

Download