Analysis
-
max time kernel
26s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
24-06-2023 01:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3950c1e15b18007b3ee172a178fda0f8.exe
Resource
win7-20230621-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
3950c1e15b18007b3ee172a178fda0f8.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3950c1e15b18007b3ee172a178fda0f8.exe
-
Size
151KB
-
MD5
3950c1e15b18007b3ee172a178fda0f8
-
SHA1
73345e1d1f324d93874e7de3bde75528ca30983c
-
SHA256
8ec6230482badb0211902e2d2e563a9b878f47ba7ff4fa22c4bbb15426a9a99c
-
SHA512
9575cca3db94074c1acd59c4aa7bf41663f6db16bd3b61a13cc767ac3a2d841323d285102a3807c6a7387cc49690ddea78dd0692dee14717693d3144089ad7ad
-
SSDEEP
3072:mgGJB5QpCwS40nLbL7kRDzz8LhAsT+Egm:mgIBOpCLXL7kZz8Cm
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1528 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3950c1e15b18007b3ee172a178fda0f8.exedescription pid process target process PID 1668 wrote to memory of 1528 1668 3950c1e15b18007b3ee172a178fda0f8.exe powershell.exe PID 1668 wrote to memory of 1528 1668 3950c1e15b18007b3ee172a178fda0f8.exe powershell.exe PID 1668 wrote to memory of 1528 1668 3950c1e15b18007b3ee172a178fda0f8.exe powershell.exe PID 1668 wrote to memory of 1528 1668 3950c1e15b18007b3ee172a178fda0f8.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3950c1e15b18007b3ee172a178fda0f8.exe"C:\Users\Admin\AppData\Local\Temp\3950c1e15b18007b3ee172a178fda0f8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken