Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
26-06-2023 13:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
Resource
win7-20230621-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
Resource
win10v2004-20230621-en
phobosredlinesmokeloadersystembc1backdoorcollectionevasioninfostealerpersistenceransomwarespywarestealertrojan
33 signatures
150 seconds
General
-
Target
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
-
Size
335KB
-
MD5
b5237a3f0b1db945c1fe3f9ba71e3ff2
-
SHA1
ba302c3c2490a3b1b04cfbdd76097f2444a54700
-
SHA256
239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
-
SHA512
9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1
-
SSDEEP
6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1992 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b5237a3f0b1db945c1fe3f9ba71e3ff2.exedescription pid process target process PID 2040 wrote to memory of 1992 2040 b5237a3f0b1db945c1fe3f9ba71e3ff2.exe powershell.exe PID 2040 wrote to memory of 1992 2040 b5237a3f0b1db945c1fe3f9ba71e3ff2.exe powershell.exe PID 2040 wrote to memory of 1992 2040 b5237a3f0b1db945c1fe3f9ba71e3ff2.exe powershell.exe PID 2040 wrote to memory of 1992 2040 b5237a3f0b1db945c1fe3f9ba71e3ff2.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1992-58-0x00000000021B0000-0x00000000021F0000-memory.dmpFilesize
256KB
-
memory/2040-54-0x0000000001040000-0x0000000001098000-memory.dmpFilesize
352KB
-
memory/2040-55-0x0000000004E10000-0x0000000004E50000-memory.dmpFilesize
256KB
-
memory/2040-59-0x0000000004E10000-0x0000000004E50000-memory.dmpFilesize
256KB