a328a8b8e0114e0dce2aa870b967912f8caee3522ae6fbd101553ef7a9890d52

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/03/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.1MB
MD5

6af3d425618ab9242b9b3ff36d5573ce
SHA1

ef4933ad454c46df082eeb0b7c6520d0ad09aaef
SHA256

a328a8b8e0114e0dce2aa870b967912f8caee3522ae6fbd101553ef7a9890d52
SHA512

79f5947d8426c641a3bd5362a9063ef78f90e2b16ae1d835782c4950548f721e8d19f2984bd4e537e050a746d10d3d1fbf650a5b5ad8d942fa52349d312cacfa
SSDEEP

24576:4+bUdulRs0b27vovjgUpf7yJ1rga/v7fjsuwB:4+bW0cS7Srf

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1064	tmp.exe
1064	tmp.exe
1064	tmp.exe
1064	tmp.exe
1064	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	tmp.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 540	1064	tmp.exe	27
PID 1064 wrote to memory of 540	1064	tmp.exe	27
PID 1064 wrote to memory of 540	1064	tmp.exe	27
PID 1064 wrote to memory of 540	1064	tmp.exe	27
PID 1064 wrote to memory of 540	1064	tmp.exe	27
PID 1064 wrote to memory of 540	1064	tmp.exe	27
PID 1064 wrote to memory of 540	1064	tmp.exe	27
PID 1064 wrote to memory of 544	1064	tmp.exe	31
PID 1064 wrote to memory of 544	1064	tmp.exe	31
PID 1064 wrote to memory of 544	1064	tmp.exe	31
PID 1064 wrote to memory of 544	1064	tmp.exe	31
PID 1064 wrote to memory of 544	1064	tmp.exe	31
PID 1064 wrote to memory of 544	1064	tmp.exe	31
PID 1064 wrote to memory of 544	1064	tmp.exe	31
PID 1064 wrote to memory of 560	1064	tmp.exe	30
PID 1064 wrote to memory of 560	1064	tmp.exe	30
PID 1064 wrote to memory of 560	1064	tmp.exe	30
PID 1064 wrote to memory of 560	1064	tmp.exe	30
PID 1064 wrote to memory of 560	1064	tmp.exe	30
PID 1064 wrote to memory of 560	1064	tmp.exe	30
PID 1064 wrote to memory of 560	1064	tmp.exe	30
PID 1064 wrote to memory of 960	1064	tmp.exe	29
PID 1064 wrote to memory of 960	1064	tmp.exe	29
PID 1064 wrote to memory of 960	1064	tmp.exe	29
PID 1064 wrote to memory of 960	1064	tmp.exe	29
PID 1064 wrote to memory of 960	1064	tmp.exe	29
PID 1064 wrote to memory of 960	1064	tmp.exe	29
PID 1064 wrote to memory of 960	1064	tmp.exe	29
PID 1064 wrote to memory of 2024	1064	tmp.exe	28
PID 1064 wrote to memory of 2024	1064	tmp.exe	28
PID 1064 wrote to memory of 2024	1064	tmp.exe	28
PID 1064 wrote to memory of 2024	1064	tmp.exe	28
PID 1064 wrote to memory of 2024	1064	tmp.exe	28
PID 1064 wrote to memory of 2024	1064	tmp.exe	28
PID 1064 wrote to memory of 2024	1064	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-54-0x0000000000DD0000-0x0000000000EF8000-memory.dmp

Filesize
1.2MB

Download
memory/1064-55-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download
memory/1064-56-0x0000000009CA0000-0x0000000009F4E000-memory.dmp

Filesize
2.7MB

Download