28aab061347635d73eea347901ddfe829bfbf1fa9d00b713c57ae24741e66dc8

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13/02/2023, 21:41

Target

C839.tmp.exe
Size

99KB
MD5

f872615ca34a1e25ee553cf706ffaea9
SHA1

d470b97ad96f6216163c5748ea4ff300fab917ef
SHA256

99a0c7cb6c4da7f6ec490cc98b04213a0422091b82b837662af25117ee01fa08
SHA512

e2e7abeddcba3c8463970d7850e6b01abc23478ebbafc98b49a4336e11b797198cad937b88966353fd363b65ff3068139857cd6993e255d5ff016bb6e9371938
SSDEEP

1536:f7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIffwOmWRVy8OY:T7DhdC6kzWypvaQ0FxyNTBffPNl

Score

1^/10

Kills process with taskkill 1 IoCs

evasion

pid	Process
1900	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	taskkill.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1940	1896	C839.tmp.exe	29
PID 1896 wrote to memory of 1940	1896	C839.tmp.exe	29
PID 1896 wrote to memory of 1940	1896	C839.tmp.exe	29
PID 1896 wrote to memory of 1940	1896	C839.tmp.exe	29
PID 1940 wrote to memory of 1900	1940	cmd.exe	30
PID 1940 wrote to memory of 1900	1940	cmd.exe	30
PID 1940 wrote to memory of 1900	1940	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\C839.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\C839.tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E457.tmp\E458.tmp\E459.bat C:\Users\Admin\AppData\Local\Temp\C839.tmp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\taskkill.exe
    taskkill /IM IntelliSpacePACSRadiology.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900

C:\Users\Admin\AppData\Local\Temp\E457.tmp\E458.tmp\E459.bat

Filesize
434B

MD5
3f78d15c9d279a4616833022c966550c

SHA1
0923b6fa87bfaad27c0c66dff86d78ca0df1a7d3

SHA256
586eb981e36f303ed57167d96a82f7f2c41afcc18fcc56a7961f71023573b61e

SHA512
a2b84d86a71187d0f8870cb3c8d7844f7e80eadffebaba269a7560e32580f586644d8ccacba20ef621c3554945cad582ad59df29e19ca57b9986ac4c723cf433

Download Submit
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download