77a9404f69c6aeda75a4aafb7cd19f80c7ab645ff83308a8696bf5a66f4170b7

Analysis

max time kernel
135s
max time network
111s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/04/2023, 15:34

Target

b1bfcf0b5a97ce421a28a387bd469161.exe
Size

552KB
MD5

b1bfcf0b5a97ce421a28a387bd469161
SHA1

c5432e36a564b2c2e426134edaf485c7b2a6a652
SHA256

77a9404f69c6aeda75a4aafb7cd19f80c7ab645ff83308a8696bf5a66f4170b7
SHA512

ddb466910b266a4d4b1653f44d8722132b2e368ac8f0c2d5f3d7808c7d5589c9f499c2d5617bb5d4b58b80e9ca9d567d2937143ca876af5530719e03695bbb9a
SSDEEP

12288:T8sp3E3HDei3oXA2jCXgXLz/HQOqzjW/Nx:T8wU3Hq6oXA2jBXHnqzjG

Score

6^/10

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
824	b1bfcf0b5a97ce421a28a387bd469161.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
568	dw20.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	b1bfcf0b5a97ce421a28a387bd469161.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 568	824	b1bfcf0b5a97ce421a28a387bd469161.exe	28
PID 824 wrote to memory of 568	824	b1bfcf0b5a97ce421a28a387bd469161.exe	28
PID 824 wrote to memory of 568	824	b1bfcf0b5a97ce421a28a387bd469161.exe	28
PID 824 wrote to memory of 568	824	b1bfcf0b5a97ce421a28a387bd469161.exe	28

C:\Users\Admin\AppData\Local\Temp\b1bfcf0b5a97ce421a28a387bd469161.exe
"C:\Users\Admin\AppData\Local\Temp\b1bfcf0b5a97ce421a28a387bd469161.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1460
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:568

memory/568-56-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/824-54-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/824-55-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/824-57-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download