Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2023, 13:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
file.exe
-
Size
448KB
-
MD5
d75adb1d4ee451bf3727321277d5518c
-
SHA1
b976c804e101cd6e8d290031fa9ec966698bc715
-
SHA256
b4cf4a2ec95d860b75978258e4610ad9f48d4f8cdd1c22059feb775aad372479
-
SHA512
64956041ca9321327dc5b4d7c708603ce97b0d7fdb0bd8eb377c61f9a93a4d21e755808c5251c2e9bb20bcfdc14c013741ba136745fb51323fce35d125cb999c
-
SSDEEP
12288:QXMDVuJsY+yzqudw1ClqjWWf3te6yBncIZa:QXM8sOquaklbkk6ga
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 1912 2924 file.exe 94 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 2924 file.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe 1912 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2924 file.exe Token: SeDebugPrivilege 1912 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2924 wrote to memory of 4136 2924 file.exe 84 PID 2924 wrote to memory of 4136 2924 file.exe 84 PID 2924 wrote to memory of 4148 2924 file.exe 85 PID 2924 wrote to memory of 4148 2924 file.exe 85 PID 2924 wrote to memory of 4408 2924 file.exe 86 PID 2924 wrote to memory of 4408 2924 file.exe 86 PID 2924 wrote to memory of 4144 2924 file.exe 87 PID 2924 wrote to memory of 4144 2924 file.exe 87 PID 2924 wrote to memory of 1636 2924 file.exe 88 PID 2924 wrote to memory of 1636 2924 file.exe 88 PID 2924 wrote to memory of 232 2924 file.exe 89 PID 2924 wrote to memory of 232 2924 file.exe 89 PID 2924 wrote to memory of 112 2924 file.exe 90 PID 2924 wrote to memory of 112 2924 file.exe 90 PID 2924 wrote to memory of 224 2924 file.exe 91 PID 2924 wrote to memory of 224 2924 file.exe 91 PID 2924 wrote to memory of 216 2924 file.exe 92 PID 2924 wrote to memory of 216 2924 file.exe 92 PID 2924 wrote to memory of 4124 2924 file.exe 93 PID 2924 wrote to memory of 4124 2924 file.exe 93 PID 2924 wrote to memory of 1912 2924 file.exe 94 PID 2924 wrote to memory of 1912 2924 file.exe 94 PID 2924 wrote to memory of 1912 2924 file.exe 94 PID 2924 wrote to memory of 1912 2924 file.exe 94 PID 2924 wrote to memory of 1912 2924 file.exe 94 PID 2924 wrote to memory of 1912 2924 file.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵PID:4136
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵PID:4148
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵PID:4408
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵PID:4144
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵PID:1636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:232
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵PID:112
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵PID:224
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵PID:216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵PID:4124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-