Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21/01/2023, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
Screenshot Map.exe
Resource
win7-20221111-en
3 signatures
150 seconds
General
-
Target
Screenshot Map.exe
-
Size
293KB
-
MD5
0b916c1bb37ac75ef96d827e662a164c
-
SHA1
05c06be84c9f61c123e1c35e2004e15c05b5f28a
-
SHA256
ee8ae89f2f8a6e6804c3772181a889ec77fce227a31b12d9a409259f86b48702
-
SHA512
54f32e9a9435340cd0a3fc6e28c1637e15a6c261d87d19317cf7b4fe01efbabdad2c848b68f9b35cf2000a0a2a9e0037e160604b29be49538499160c9ef8c754
-
SSDEEP
6144:8G/M39DFekGOj/+HgS0P4mKHMN5/B4FL:zMdwkvS0PLKHM7qZ
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2024 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2024 1764 Screenshot Map.exe 28 PID 1764 wrote to memory of 2024 1764 Screenshot Map.exe 28 PID 1764 wrote to memory of 2024 1764 Screenshot Map.exe 28 PID 1764 wrote to memory of 2024 1764 Screenshot Map.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Screenshot Map.exe"C:\Users\Admin\AppData\Local\Temp\Screenshot Map.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-