Analysis
-
max time kernel
25s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-04-2023 20:45
Static task
static1
Behavioral task
behavioral1
Sample
ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe
Resource
win7-20230220-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe
-
Size
10.0MB
-
MD5
83fbded097edeeeec35ebb02e6f58efb
-
SHA1
0b2ee0d31fceb7108c0fdbf160ecbc7a0d3f74b1
-
SHA256
ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81
-
SHA512
a70f52eebca88019ba06c2b22ac0d0119d23a1b7b358c6132d617eb444a76eb299fa2c211c1b83d4d32377aaf62a1e56e90f5c36a0e76456d96a724739a70529
-
SSDEEP
98304:TOcegIdwqxPLEx6AfWOk3FeCN5RLVzS2pTTDrx9mhgEUwvR:TefGqawAeOk38CrRdvmhtU
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2024 WMIC.exe Token: SeSecurityPrivilege 2024 WMIC.exe Token: SeTakeOwnershipPrivilege 2024 WMIC.exe Token: SeLoadDriverPrivilege 2024 WMIC.exe Token: SeSystemProfilePrivilege 2024 WMIC.exe Token: SeSystemtimePrivilege 2024 WMIC.exe Token: SeProfSingleProcessPrivilege 2024 WMIC.exe Token: SeIncBasePriorityPrivilege 2024 WMIC.exe Token: SeCreatePagefilePrivilege 2024 WMIC.exe Token: SeBackupPrivilege 2024 WMIC.exe Token: SeRestorePrivilege 2024 WMIC.exe Token: SeShutdownPrivilege 2024 WMIC.exe Token: SeDebugPrivilege 2024 WMIC.exe Token: SeSystemEnvironmentPrivilege 2024 WMIC.exe Token: SeRemoteShutdownPrivilege 2024 WMIC.exe Token: SeUndockPrivilege 2024 WMIC.exe Token: SeManageVolumePrivilege 2024 WMIC.exe Token: 33 2024 WMIC.exe Token: 34 2024 WMIC.exe Token: 35 2024 WMIC.exe Token: SeIncreaseQuotaPrivilege 2024 WMIC.exe Token: SeSecurityPrivilege 2024 WMIC.exe Token: SeTakeOwnershipPrivilege 2024 WMIC.exe Token: SeLoadDriverPrivilege 2024 WMIC.exe Token: SeSystemProfilePrivilege 2024 WMIC.exe Token: SeSystemtimePrivilege 2024 WMIC.exe Token: SeProfSingleProcessPrivilege 2024 WMIC.exe Token: SeIncBasePriorityPrivilege 2024 WMIC.exe Token: SeCreatePagefilePrivilege 2024 WMIC.exe Token: SeBackupPrivilege 2024 WMIC.exe Token: SeRestorePrivilege 2024 WMIC.exe Token: SeShutdownPrivilege 2024 WMIC.exe Token: SeDebugPrivilege 2024 WMIC.exe Token: SeSystemEnvironmentPrivilege 2024 WMIC.exe Token: SeRemoteShutdownPrivilege 2024 WMIC.exe Token: SeUndockPrivilege 2024 WMIC.exe Token: SeManageVolumePrivilege 2024 WMIC.exe Token: 33 2024 WMIC.exe Token: 34 2024 WMIC.exe Token: 35 2024 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2032 1216 ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe 29 PID 1216 wrote to memory of 2032 1216 ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe 29 PID 1216 wrote to memory of 2032 1216 ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe 29 PID 2032 wrote to memory of 2024 2032 cmd.exe 30 PID 2032 wrote to memory of 2024 2032 cmd.exe 30 PID 2032 wrote to memory of 2024 2032 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe"C:\Users\Admin\AppData\Local\Temp\ebd1368979b5adb9586ce512b63876985a497e1727ffbd54732cd42eef992b81.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-