117a5deaf35a81d9a43d73bdcaeca70d98b4d133a103f3f3d5b9b1453635c993

Resubmissions

13/05/2023, 02:57

13/05/2023, 02:56

max time kernel
37s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/05/2023, 02:56

Target

files.zip
Size

1KB
MD5

1164ca78006a3bf2fc5b78b2ac5b2661
SHA1

a73edb86f04ed9d6326d380f66c8407c882ff421
SHA256

117a5deaf35a81d9a43d73bdcaeca70d98b4d133a103f3f3d5b9b1453635c993
SHA512

3667a9ec099d7f8bbd583cd1e041f1a6818f78f7d7b4fa30f7c7bd764aceb9366ff046a6d21fcdae3ddeb37f20e0066d3f0539beb827a9342ee6cbe4dbcf26ec

Score

1^/10

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1988	csc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	284	AUDIODG.EXE
Token: 33	284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	284	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1988	1776	cmd.exe	34
PID 1776 wrote to memory of 1988	1776	cmd.exe	34
PID 1776 wrote to memory of 1988	1776	cmd.exe	34
PID 1776 wrote to memory of 1988	1776	cmd.exe	34
PID 1988 wrote to memory of 1320	1988	csc.exe	35
PID 1988 wrote to memory of 1320	1988	csc.exe	35
PID 1988 wrote to memory of 1320	1988	csc.exe	35
PID 1988 wrote to memory of 1320	1988	csc.exe	35

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\files.zip
1⤵
PID:1608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\compile.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe loader.txt
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES979F.tmp" "c:\Users\Admin\Desktop\CSC7768D91CE71846ADAD3781C3C6361284.TMP"
    3⤵
    PID:1320

C:\Users\Admin\AppData\Local\Temp\RES979F.tmp

Filesize
1KB

MD5
10c6558d77c83abeca058564c4e234f0

SHA1
c07cc1a7bf780fc31a36302ab5bb15071f5bd7d5

SHA256
c32d6ac6679e8a77cf3b2f7689e8938f34d555c69abb7e8a452510eeeeb9455f

SHA512
9d2a91dad68f0f271fcea103782e995b1701e55b49e47b7d22f16905e30b7aea1469aa123efb6751d2be4c2883f8ad7f0f7d5f842bcde4bf88379eb84ebabe68

Download Submit
\??\c:\Users\Admin\Desktop\CSC7768D91CE71846ADAD3781C3C6361284.TMP

Filesize
1KB

MD5
4f665f7525482fa7c7ee18f9ed01c9cc

SHA1
2bef12115b612e7149110ac7f8b3c04812fd13bd

SHA256
d5978b73ae5bbd52ca72189b57699e56ff678955846300c1e513d9068000b8e1

SHA512
abe83401d39e23565d913a50acd0bcd22fbf97af1ce8f8cc9c3f70adae68e1951bcf55b926cbf3d552b3126f9f5ef9eda4847d34c4846a2709fabb2a5b248415

Download Submit