a16ffc8e781e14fc6058630b81cd948df4be52a4721588121d9448c0c0359a0d

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 18:55

Target

Liquid V3 Files/LiquidLauncher.exe
Size

2.2MB
MD5

a3f1a0273a51879db8147db21581bca8
SHA1

4fbec47940b177702df61be774051e4520cdb9ea
SHA256

798bc28fa4d4ce257c0324dcb058607bd3ed0fcebd0628a2df6d944f7eeb76d1
SHA512

de1fba872f85db2c70bb16ae3333c026159df284d2b1b839dfc1f0c0c121f00517c29f57553aa2c8d0392ec001859feac9f803c94a5fb19ff9cf7e9bcfd2e7f4
SSDEEP

24576:/YdQGnYdQG5N8Bo+WjZQCHEk/JQCzy6TSJ9f3Qld9yNpanPUn9jCxbAyxhxCcwSU:GQlQE5+MZQCBJ7y2C0FPbd7CHSltxbQ

Score

6^/10

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	LiquidLauncher.exe

C:\Users\Admin\AppData\Local\Temp\Liquid V3 Files\LiquidLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\Liquid V3 Files\LiquidLauncher.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

memory/4468-132-0x0000000000D50000-0x0000000000F92000-memory.dmp

Filesize
2.3MB

Download
memory/4468-133-0x000000001CC90000-0x000000001CCD2000-memory.dmp

Filesize
264KB

Download
memory/4468-134-0x00007FFBBCCE0000-0x00007FFBBD7A1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-135-0x00007FFBBCCE0000-0x00007FFBBD7A1000-memory.dmp

Filesize
10.8MB

Download