6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c

Analysis

max time kernel
235s
max time network
336s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:55

Target

PO39100.exe
Size

1.5MB
MD5

13dc441ec2f9e3f9aa1f354a4b14d318
SHA1

05b62c596ca78745d73514cd5d43434929955863
SHA256

6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c
SHA512

30f4da77bf1ba35334fc1812a6792bb91396fdc8cc7b918f81c6395a48523079cccc89c7090b5c21c30ab62939fa8663cc695ad7d876f083773f7c85cffc5242
SSDEEP

24576:TwMryIYPOfPFxgvnRnc215nETdxUA6p7GDHDCf0uEywBk1EM8Xzd:Md5PsPfgvRv0gA6pYC52lD

Score

1^/10

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	PO39100.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 780	1728	PO39100.exe	28
PID 1728 wrote to memory of 780	1728	PO39100.exe	28
PID 1728 wrote to memory of 780	1728	PO39100.exe	28
PID 1728 wrote to memory of 780	1728	PO39100.exe	28
PID 1728 wrote to memory of 1320	1728	PO39100.exe	29
PID 1728 wrote to memory of 1320	1728	PO39100.exe	29
PID 1728 wrote to memory of 1320	1728	PO39100.exe	29
PID 1728 wrote to memory of 1320	1728	PO39100.exe	29
PID 1728 wrote to memory of 1800	1728	PO39100.exe	30
PID 1728 wrote to memory of 1800	1728	PO39100.exe	30
PID 1728 wrote to memory of 1800	1728	PO39100.exe	30
PID 1728 wrote to memory of 1800	1728	PO39100.exe	30
PID 1728 wrote to memory of 1240	1728	PO39100.exe	31
PID 1728 wrote to memory of 1240	1728	PO39100.exe	31
PID 1728 wrote to memory of 1240	1728	PO39100.exe	31
PID 1728 wrote to memory of 1240	1728	PO39100.exe	31
PID 1728 wrote to memory of 1204	1728	PO39100.exe	32
PID 1728 wrote to memory of 1204	1728	PO39100.exe	32
PID 1728 wrote to memory of 1204	1728	PO39100.exe	32
PID 1728 wrote to memory of 1204	1728	PO39100.exe	32

C:\Users\Admin\AppData\Local\Temp\PO39100.exe
"C:\Users\Admin\AppData\Local\Temp\PO39100.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\PO39100.exe
  "C:\Users\Admin\AppData\Local\Temp\PO39100.exe"
  2⤵
  PID:780
- C:\Users\Admin\AppData\Local\Temp\PO39100.exe
  "C:\Users\Admin\AppData\Local\Temp\PO39100.exe"
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\PO39100.exe
  "C:\Users\Admin\AppData\Local\Temp\PO39100.exe"
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\PO39100.exe
  "C:\Users\Admin\AppData\Local\Temp\PO39100.exe"
  2⤵
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\PO39100.exe
  "C:\Users\Admin\AppData\Local\Temp\PO39100.exe"
  2⤵
  PID:1204

memory/1728-54-0x00000000003D0000-0x0000000000558000-memory.dmp

Filesize
1.5MB

Download
memory/1728-55-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1728-56-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1728-57-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1728-58-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1728-59-0x0000000005AD0000-0x0000000005C08000-memory.dmp

Filesize
1.2MB

Download
memory/1728-60-0x000000000A290000-0x000000000A440000-memory.dmp

Filesize
1.7MB

Download