6ca0732c155a15f67928a38c9c9ba8b2f08fb5e90fa38332b94b0457607c208b

Analysis

max time kernel
72s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/04/2023, 17:24

Target

OriginalBuild.exe
Size

234KB
MD5

4851971e37ce8cd2b61a795780b7d4b5
SHA1

eab1b044ddb4df43660b96cf8000e6b0bacf9f6e
SHA256

6ca0732c155a15f67928a38c9c9ba8b2f08fb5e90fa38332b94b0457607c208b
SHA512

82bbaa0f15206a2322a75d20571baf20c5e7e91c6cc5e1d4fdc1aebc36624c2da7cefa036e7bf6d1e0252a914e705631829cc12ade308f872ffe008b7c8731de
SSDEEP

3072:Yiwwb6hYh8zBR4FGTy8YkMwjmalLUZ7d+a+4alnzr1AXwBdR+6dO6drF4OogCY14:dY+hxl6pi4lnzr8wBWr692c1IOq

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
888	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 888	1776	OriginalBuild.exe	28
PID 1776 wrote to memory of 888	1776	OriginalBuild.exe	28
PID 1776 wrote to memory of 888	1776	OriginalBuild.exe	28
PID 1776 wrote to memory of 888	1776	OriginalBuild.exe	28

C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe
"C:\Users\Admin\AppData\Local\Temp\OriginalBuild.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888

memory/1776-54-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1776-55-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download