7988fe75eb1abeac99917732c69e0de5e96137b5a8f471b4c8af2ef378505312

Analysis

max time kernel
42s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 14:40

Target

tmp.exe
Size

1.3MB
MD5

d8e622d9974ee940831e507fac715c94
SHA1

7f6b6850c5146c6942148eae317387e5c85342ea
SHA256

7988fe75eb1abeac99917732c69e0de5e96137b5a8f471b4c8af2ef378505312
SHA512

6c5bd4dd4bfbb4c75bf392141446496473cf035ebfe6b70bdfe0278ec67ffbffdc4b9ba937ca80d5ef7ed80fa8ce6ca3ebd4e02821f155580377b503ed17a3d6
SSDEEP

24576:V5F02vDR3+R4znIM4PkgW6REfPSt6BPoUi17+9QloSN3TEt8dni:fF/9RnIIgWBg+AUi1S9QCSNDEin

Score

1^/10

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

tmp.exe

pid process

1064 tmp.exe
1064 tmp.exe
1064 tmp.exe
1064 tmp.exe
1064 tmp.exe
1064 tmp.exe
1064 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 1064 tmp.exe

description	pid	process
Token: SeDebugPrivilege	1064	tmp.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1064 wrote to memory of 740	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 740	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 740	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 740	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 268	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 268	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 268	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 268	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1860	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1860	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1860	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1860	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1856	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1856	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1856	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 1856	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 520	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 520	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 520	1064	tmp.exe	tmp.exe
PID 1064 wrote to memory of 520	1064	tmp.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:740
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:520

memory/1064-54-0x00000000003B0000-0x00000000004FA000-memory.dmp

Filesize
1.3MB

Download
memory/1064-55-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/1064-56-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/1064-57-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/1064-58-0x00000000084E0000-0x00000000085D4000-memory.dmp

Filesize
976KB

Download
memory/1064-59-0x00000000053F0000-0x000000000546E000-memory.dmp

Filesize
504KB

Download