Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2023 14:16
Static task
static1
Behavioral task
behavioral1
Sample
030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe
Resource
win10v2004-20230220-en
General
-
Target
030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe
-
Size
474KB
-
MD5
dcb7eaa1fd51e975b67a3ed92509167a
-
SHA1
528c5a4837a195707581724d408c809433f14a16
-
SHA256
030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498
-
SHA512
8b095bc1d1c22db78e1ee1011bd7d6564c3657c4bade729baf803b6df857f88be1fceac74b55b72786df635bbee7ad3ff8d17bbc28da553c1bb08ae275df543c
-
SSDEEP
6144:WG0tEl7ERlzVxn5zLTjgpjdGXq7IOVf4c0Lu8nuyqvM30vakSNMmoYqTVXwIuODf:BCFzbF3g1kXqZf4czAVMmlq5pTlEv1G
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exepid process 4372 030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe 4372 030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exedescription pid process Token: SeDebugPrivilege 4372 030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exedescription pid process target process PID 4372 wrote to memory of 2832 4372 030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe CasPol.exe PID 4372 wrote to memory of 2832 4372 030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe CasPol.exe PID 4372 wrote to memory of 2832 4372 030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe"C:\Users\Admin\AppData\Local\Temp\030d9daf754e7d55b6690abc958386c7bd69c539b50a971b2a61b0d14210a498.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵