0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204

Analysis

max time kernel
143s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:40

Target

0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe
Size

4.6MB
MD5

fa68435c8733319fdc648b1ae7e76ff6
SHA1

afabe1cb32cc64d5c9d1dc3f8330da7cf1a3e2f0
SHA256

0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204
SHA512

4b70d76ab9f9a48f719b4400ffab0ac9914e5e788d7513a9d06ba0593c9b3a7d16f3489ef121c2202a20be6238b76ea839ac5d19becabff196c2cbd6a8655ea1
SSDEEP

49152:n6S5QUskvRLmhAG5JyCE/Wi5MgmHG0G5vKuPIR+vFtP0/VjeYJ1E+kRU1:j5QUskvRCJW+

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1632	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1116	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
668	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	668	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.execmd.exe

description	pid	Process	procid_target
PID 1292 wrote to memory of 668	1292	0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe	28
PID 1292 wrote to memory of 668	1292	0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe	28
PID 1292 wrote to memory of 668	1292	0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe	28
PID 1292 wrote to memory of 1632	1292	0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe	30
PID 1292 wrote to memory of 1632	1292	0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe	30
PID 1292 wrote to memory of 1632	1292	0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe	30
PID 1632 wrote to memory of 1116	1632	cmd.exe	32
PID 1632 wrote to memory of 1116	1632	cmd.exe	32
PID 1632 wrote to memory of 1116	1632	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe
"C:\Users\Admin\AppData\Local\Temp\0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C timeout -n t& del C:\Users\Admin\AppData\Local\Temp\0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\timeout.exe
    timeout -n t
    3⤵
    - Delays execution with timeout.exe
    PID:1116

C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
6KB

MD5
37330f50cf392bca59567a22de3b836a

SHA1
f7b37328533a133567aa28f03015da69e2e36547

SHA256
a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1

SHA512
5d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6

Download Submit
memory/668-55-0x0000000000000000-mapping.dmp

Download
memory/668-56-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

Filesize
8KB

Download
memory/668-57-0x000007FEEC850000-0x000007FEED273000-memory.dmp

Filesize
10.1MB

Download
memory/668-58-0x000007FEEBCF0000-0x000007FEEC84D000-memory.dmp

Filesize
11.4MB

Download
memory/668-59-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/668-60-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/668-63-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/668-62-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1116-65-0x0000000000000000-mapping.dmp

Download
memory/1292-54-0x0000000043990000-0x0000000043C48000-memory.dmp

Filesize
2.7MB

Download
memory/1632-64-0x0000000000000000-mapping.dmp

Download