5bb7052a555a42d2eb6cd4397166e2255249d4be8044ccbbe739afa9c18e4d92 | Triage

Analysis

max time kernel
46s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 20:46

Sharing

Report Analysis Logs

General

Target

tmp.exe
Size

36KB
MD5

056a05d771a6f441997c9800aabae60e
SHA1

2245332b59d6f966b12dd400cd52dc6b2decaa18
SHA256

5bb7052a555a42d2eb6cd4397166e2255249d4be8044ccbbe739afa9c18e4d92
SHA512

28765b2b61b44518a6419d32b42b4ceb3821c00b8ba2b1c6ef28bed01a05d217e7f62c95f1497d6f0620b56ec2fb88b7bba8902de000d375ecfba8f29fc3610d
SSDEEP

768:l3NLBTvcJdsYyPWO8EBfZakhq6zgA9WE:t7r9YyPWOvBfZdh5zgHE

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

pid	Process
1920	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1920	2024	tmp.exe	28
PID 2024 wrote to memory of 1920	2024	tmp.exe	28
PID 2024 wrote to memory of 1920	2024	tmp.exe	28
PID 2024 wrote to memory of 1920	2024	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /t /im EV-CAT-KIOSK3.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads