Analysis
-
max time kernel
149s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-05-2023 11:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
file.exe
-
Size
332KB
-
MD5
c5674099c10fc02100253a248cd1d4f9
-
SHA1
489a0dc2967bf1e0dd30e984eeaff4cd07ab8dae
-
SHA256
d6832a537c3e0be47b10e40736bed91c4768ace163b110d96c6700aabe6c5fb3
-
SHA512
4c13a467a70a425d366d94dd2ba45fd8b7f3d12705aea99d418fa76be6d26bf37c6cd5d9363890be7dc69add4ff488aff6a4cdbd346851eea73cae0887d0e4cc
-
SSDEEP
6144:xMtTVz4Zwp+e50XrDkodpbMk9d2p8gSqP4p1IOq:MajX2p8gSqO14
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepowershell.exepid process 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 2020 powershell.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe 1396 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exepowershell.exedescription pid process Token: SeDebugPrivilege 1396 file.exe Token: SeDebugPrivilege 2020 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 1396 wrote to memory of 2020 1396 file.exe powershell.exe PID 1396 wrote to memory of 2020 1396 file.exe powershell.exe PID 1396 wrote to memory of 2020 1396 file.exe powershell.exe PID 1396 wrote to memory of 2020 1396 file.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1396-54-0x00000000010C0000-0x0000000001114000-memory.dmpFilesize
336KB
-
memory/1396-55-0x0000000004B80000-0x0000000004BC0000-memory.dmpFilesize
256KB
-
memory/1396-60-0x0000000004B80000-0x0000000004BC0000-memory.dmpFilesize
256KB
-
memory/2020-58-0x00000000027F0000-0x0000000002830000-memory.dmpFilesize
256KB
-
memory/2020-59-0x00000000027F0000-0x0000000002830000-memory.dmpFilesize
256KB
-
memory/2020-61-0x00000000027F0000-0x0000000002830000-memory.dmpFilesize
256KB
-
memory/2020-62-0x00000000027F0000-0x0000000002830000-memory.dmpFilesize
256KB