ce6a2a05fc9236f9d784344198256451dbe5f91a1350d397ef0e64784cacae13

Resubmissions

24-08-2023 06:12

230824-gyggtsae64 10

27-05-2023 16:10

230527-tmmwpacg8v 3

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-05-2023 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe
Size

10.7MB
MD5

55e01ccde663350f90205c74a706ae81
SHA1

2f2c95f12d3cb3eaa1bcbf79ea1bfebad0e9051b
SHA256

b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025
SHA512

d8fc0de1a3b69719e2b4377c159c5d71d1d32b1a13ea65aa5061c8171b3a94d3a79279f8188440c14112568b70cd1d98ba9b6132c272e0c89ba7cbb281db6b46
SSDEEP

98304:4R2ST6gbhYU35sX8LAVy4KEIhfdYOPzZTiNT:4R7nhY+5vLAVy4XPOPzaT

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe
Token: SeIncreaseQuotaPrivilege	1140	wmic.exe
Token: SeSecurityPrivilege	1140	wmic.exe
Token: SeTakeOwnershipPrivilege	1140	wmic.exe
Token: SeLoadDriverPrivilege	1140	wmic.exe
Token: SeSystemProfilePrivilege	1140	wmic.exe
Token: SeSystemtimePrivilege	1140	wmic.exe
Token: SeProfSingleProcessPrivilege	1140	wmic.exe
Token: SeIncBasePriorityPrivilege	1140	wmic.exe
Token: SeCreatePagefilePrivilege	1140	wmic.exe
Token: SeBackupPrivilege	1140	wmic.exe
Token: SeRestorePrivilege	1140	wmic.exe
Token: SeShutdownPrivilege	1140	wmic.exe
Token: SeDebugPrivilege	1140	wmic.exe
Token: SeSystemEnvironmentPrivilege	1140	wmic.exe
Token: SeRemoteShutdownPrivilege	1140	wmic.exe
Token: SeUndockPrivilege	1140	wmic.exe
Token: SeManageVolumePrivilege	1140	wmic.exe
Token: 33	1140	wmic.exe
Token: 34	1140	wmic.exe
Token: 35	1140	wmic.exe
Token: SeIncreaseQuotaPrivilege	1140	wmic.exe
Token: SeSecurityPrivilege	1140	wmic.exe
Token: SeTakeOwnershipPrivilege	1140	wmic.exe
Token: SeLoadDriverPrivilege	1140	wmic.exe
Token: SeSystemProfilePrivilege	1140	wmic.exe
Token: SeSystemtimePrivilege	1140	wmic.exe
Token: SeProfSingleProcessPrivilege	1140	wmic.exe
Token: SeIncBasePriorityPrivilege	1140	wmic.exe
Token: SeCreatePagefilePrivilege	1140	wmic.exe
Token: SeBackupPrivilege	1140	wmic.exe
Token: SeRestorePrivilege	1140	wmic.exe
Token: SeShutdownPrivilege	1140	wmic.exe
Token: SeDebugPrivilege	1140	wmic.exe
Token: SeSystemEnvironmentPrivilege	1140	wmic.exe
Token: SeRemoteShutdownPrivilege	1140	wmic.exe
Token: SeUndockPrivilege	1140	wmic.exe
Token: SeManageVolumePrivilege	1140	wmic.exe
Token: 33	1140	wmic.exe
Token: 34	1140	wmic.exe
Token: 35	1140	wmic.exe
Token: SeIncreaseQuotaPrivilege	524	wmic.exe
Token: SeSecurityPrivilege	524	wmic.exe
Token: SeTakeOwnershipPrivilege	524	wmic.exe
Token: SeLoadDriverPrivilege	524	wmic.exe
Token: SeSystemProfilePrivilege	524	wmic.exe
Token: SeSystemtimePrivilege	524	wmic.exe
Token: SeProfSingleProcessPrivilege	524	wmic.exe
Token: SeIncBasePriorityPrivilege	524	wmic.exe
Token: SeCreatePagefilePrivilege	524	wmic.exe
Token: SeBackupPrivilege	524	wmic.exe
Token: SeRestorePrivilege	524	wmic.exe
Token: SeShutdownPrivilege	524	wmic.exe
Token: SeDebugPrivilege	524	wmic.exe
Token: SeSystemEnvironmentPrivilege	524	wmic.exe
Token: SeRemoteShutdownPrivilege	524	wmic.exe
Token: SeUndockPrivilege	524	wmic.exe
Token: SeManageVolumePrivilege	524	wmic.exe
Token: 33	524	wmic.exe
Token: 34	524	wmic.exe
Token: 35	524	wmic.exe
Token: SeIncreaseQuotaPrivilege	524	wmic.exe
Token: SeSecurityPrivilege	524	wmic.exe
Token: SeTakeOwnershipPrivilege	524	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1140	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	29
PID 1424 wrote to memory of 1140	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	29
PID 1424 wrote to memory of 1140	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	29
PID 1424 wrote to memory of 524	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	31
PID 1424 wrote to memory of 524	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	31
PID 1424 wrote to memory of 524	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	31
PID 1424 wrote to memory of 860	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	32
PID 1424 wrote to memory of 860	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	32
PID 1424 wrote to memory of 860	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	32
PID 1424 wrote to memory of 1764	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	33
PID 1424 wrote to memory of 1764	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	33
PID 1424 wrote to memory of 1764	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	33
PID 1424 wrote to memory of 836	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	34
PID 1424 wrote to memory of 836	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	34
PID 1424 wrote to memory of 836	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	34
PID 1424 wrote to memory of 900	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	35
PID 1424 wrote to memory of 900	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	35
PID 1424 wrote to memory of 900	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	35
PID 1424 wrote to memory of 1876	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	36
PID 1424 wrote to memory of 1876	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	36
PID 1424 wrote to memory of 1876	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	36
PID 1424 wrote to memory of 112	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	37
PID 1424 wrote to memory of 112	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	37
PID 1424 wrote to memory of 112	1424	b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe	37

C:\Users\Admin\AppData\Local\Temp\b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe
"C:\Users\Admin\AppData\Local\Temp\b8ea26cc228123ecb77b46d325f0ec34dd5c9b37e3e4ec492a4bf51840218025.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:860
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1764
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:836
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:900
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1876
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:112

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads