295ebe6ba820bb813c6e9dd5526bf194a8da0268085ba0fc805f19c1ae3c6186

Analysis

max time kernel
47s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-04-2023 11:45

Target

tmpw1impcfu.exe
Size

1.5MB
MD5

26d46c2c07d584f1a04280f47182e909
SHA1

381ec91ba5c4206be19a10a1cb0d2328a9385d71
SHA256

295ebe6ba820bb813c6e9dd5526bf194a8da0268085ba0fc805f19c1ae3c6186
SHA512

3cd2e063ed27a84cfa2513e76a77f6ed8a7987ff42f1e5e9ab9400491b1cfc0b407945ca09ab1a839807ac850a44a0521aa5fa2f9a90c9bd2df1ee0eefc3c8c0
SSDEEP

24576:D1fkORzjCc1R7CIPVQ/NcnBZuSAszPeo28pW4NiocXtWLezho6OrHRYfDz:Dabc7nyNgqSHzPj3zDYt8EhuWf

Score

1^/10

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	tmpw1impcfu.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1856	1808	tmpw1impcfu.exe	28
PID 1808 wrote to memory of 1856	1808	tmpw1impcfu.exe	28
PID 1808 wrote to memory of 1856	1808	tmpw1impcfu.exe	28
PID 1808 wrote to memory of 1856	1808	tmpw1impcfu.exe	28
PID 1808 wrote to memory of 776	1808	tmpw1impcfu.exe	29
PID 1808 wrote to memory of 776	1808	tmpw1impcfu.exe	29
PID 1808 wrote to memory of 776	1808	tmpw1impcfu.exe	29
PID 1808 wrote to memory of 776	1808	tmpw1impcfu.exe	29
PID 1808 wrote to memory of 668	1808	tmpw1impcfu.exe	30
PID 1808 wrote to memory of 668	1808	tmpw1impcfu.exe	30
PID 1808 wrote to memory of 668	1808	tmpw1impcfu.exe	30
PID 1808 wrote to memory of 668	1808	tmpw1impcfu.exe	30
PID 1808 wrote to memory of 464	1808	tmpw1impcfu.exe	31
PID 1808 wrote to memory of 464	1808	tmpw1impcfu.exe	31
PID 1808 wrote to memory of 464	1808	tmpw1impcfu.exe	31
PID 1808 wrote to memory of 464	1808	tmpw1impcfu.exe	31
PID 1808 wrote to memory of 592	1808	tmpw1impcfu.exe	32
PID 1808 wrote to memory of 592	1808	tmpw1impcfu.exe	32
PID 1808 wrote to memory of 592	1808	tmpw1impcfu.exe	32
PID 1808 wrote to memory of 592	1808	tmpw1impcfu.exe	32

C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe
"C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe"
  2⤵
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe"
  2⤵
  PID:776
- C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe"
  2⤵
  PID:668
- C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe"
  2⤵
  PID:464
- C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpw1impcfu.exe"
  2⤵
  PID:592

memory/1808-54-0x0000000000260000-0x00000000003DA000-memory.dmp

Filesize
1.5MB

Download
memory/1808-55-0x00000000004C0000-0x00000000004D4000-memory.dmp

Filesize
80KB

Download
memory/1808-56-0x0000000005010000-0x0000000005050000-memory.dmp

Filesize
256KB

Download
memory/1808-57-0x0000000005010000-0x0000000005050000-memory.dmp

Filesize
256KB

Download
memory/1808-58-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1808-59-0x0000000005460000-0x0000000005598000-memory.dmp

Filesize
1.2MB

Download
memory/1808-60-0x0000000007D00000-0x0000000007EB0000-memory.dmp

Filesize
1.7MB

Download