169c4a3f668ce8d737dd54f1ab2a920badc42832968e7987eb660319eb938259

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 15:47

Target

bill slip.exe
Size

775KB
MD5

b58f92af2dfcb2b3a68725af2bf950e3
SHA1

2a69c0a289d4f41d8ab2ed3b3ff9bb16e4cd2f6e
SHA256

169c4a3f668ce8d737dd54f1ab2a920badc42832968e7987eb660319eb938259
SHA512

c645108ee108f1cca6280b96d90cdeadc7cb11962fc2897c6d4708e37b4cb19411165f79693d0e2c9b76aed6264f97191601195208c392a7d098d7a65017770f
SSDEEP

24576:mqOufrq7x/7Tjd7Adn/HowKExFb0rb6usC+4qXdVJ:hFfCRlEVvowKELgZsC+4qXt

Score

7^/10

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	bill slip.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1364	2068	bill slip.exe	90
PID 2068 wrote to memory of 1364	2068	bill slip.exe	90
PID 2068 wrote to memory of 1364	2068	bill slip.exe	90
PID 2068 wrote to memory of 448	2068	bill slip.exe	91
PID 2068 wrote to memory of 448	2068	bill slip.exe	91
PID 2068 wrote to memory of 448	2068	bill slip.exe	91
PID 2068 wrote to memory of 4988	2068	bill slip.exe	92
PID 2068 wrote to memory of 4988	2068	bill slip.exe	92
PID 2068 wrote to memory of 4988	2068	bill slip.exe	92
PID 2068 wrote to memory of 4636	2068	bill slip.exe	93
PID 2068 wrote to memory of 4636	2068	bill slip.exe	93
PID 2068 wrote to memory of 4636	2068	bill slip.exe	93
PID 2068 wrote to memory of 4984	2068	bill slip.exe	94
PID 2068 wrote to memory of 4984	2068	bill slip.exe	94
PID 2068 wrote to memory of 4984	2068	bill slip.exe	94

C:\Users\Admin\AppData\Local\Temp\bill slip.exe
"C:\Users\Admin\AppData\Local\Temp\bill slip.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4984

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2068-133-0x0000000000100000-0x00000000001C8000-memory.dmp

Filesize
800KB

Download
memory/2068-134-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/2068-135-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/2068-136-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/2068-137-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2068-138-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2068-139-0x0000000008510000-0x00000000085AC000-memory.dmp

Filesize
624KB

Download