8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:41

Target

8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe
Size

4.6MB
MD5

62bb4a8734cacaaea9605ea3b282b6b7
SHA1

134a17660b9c64e35a75c175fa9f5c4bec5b2835
SHA256

8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0
SHA512

15b68c65653c7446af02a1c548b7b19a12c9328b5170a0b4f9635eacf11cc62fe8862378f237a97acf68974183904410de5c51ddc4380675cec2d4459c7e06cd
SSDEEP

49152:AHy5JqSxFHuTWN5wqqOvAbCI8whLT5Xz+HavHxp7dU/V4ZNEgyU1:b5JqSxFHuTp+

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2016	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1368	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
524	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 524	1564	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	26
PID 1564 wrote to memory of 524	1564	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	26
PID 1564 wrote to memory of 524	1564	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	26
PID 1564 wrote to memory of 2016	1564	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	28
PID 1564 wrote to memory of 2016	1564	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	28
PID 1564 wrote to memory of 2016	1564	8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe	28
PID 2016 wrote to memory of 1368	2016	cmd.exe	30
PID 2016 wrote to memory of 1368	2016	cmd.exe	30
PID 2016 wrote to memory of 1368	2016	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe
"C:\Users\Admin\AppData\Local\Temp\8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C timeout -n t& del C:\Users\Admin\AppData\Local\Temp\8cb590f2b6915a98149d41b605f084cd0d08134ac34812b1b6a67f27615e65f0.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\timeout.exe
    timeout -n t
    3⤵
    - Delays execution with timeout.exe
    PID:1368

C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
6KB

MD5
37330f50cf392bca59567a22de3b836a

SHA1
f7b37328533a133567aa28f03015da69e2e36547

SHA256
a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1

SHA512
5d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6

Download Submit
memory/524-56-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/524-57-0x000007FEEC6D0000-0x000007FEED0F3000-memory.dmp

Filesize
10.1MB

Download
memory/524-58-0x000007FEEBB70000-0x000007FEEC6CD000-memory.dmp

Filesize
11.4MB

Download
memory/524-60-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/524-61-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/524-62-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/1564-54-0x0000000043BB0000-0x0000000043E68000-memory.dmp

Filesize
2.7MB

Download