36dc266ad1ea8df01393368710ee6c6fd21629e833252cf0f3f63dffd908c805

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36dc266ad1ea8df0139336871.exe
Size

3.5MB
MD5

4695f98bf6e8c0908c0b6af77ec31a6c
SHA1

41b05253a583238d6c583a97eb6d45e92607f53d
SHA256

36dc266ad1ea8df01393368710ee6c6fd21629e833252cf0f3f63dffd908c805
SHA512

b85d91a68c514e2e27d0a1b72aa7d12abed855953944eb2ab7a723a9770972b94434416a2415fc46a3aee516642121329b22eb61f80fc760d011da0ce4acfb30
SSDEEP

24576:Pam/O3RT2048qUkeSLdnC/sGB9D/YBl7B3Yom6pd+e6idu6sN6FCBfcW877++aIS:PaZ3Rb4UScABl7B3YH6pd+e6i

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

36dc266ad1ea8df0139336871.exe

pid	process
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe
3016	36dc266ad1ea8df0139336871.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

36dc266ad1ea8df0139336871.exe

description pid process

Token: SeDebugPrivilege 3016 36dc266ad1ea8df0139336871.exe

description	pid	process
Token: SeDebugPrivilege	3016	36dc266ad1ea8df0139336871.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

36dc266ad1ea8df0139336871.exe

description	pid	process	target process
PID 3016 wrote to memory of 2912	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2912	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2912	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2912	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2648	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2648	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2648	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2648	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2640	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2640	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2640	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2640	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2520	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2520	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2520	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2520	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2528	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2528	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2528	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2528	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2472	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2472	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2472	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2472	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2476	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2476	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2476	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2476	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2488	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2488	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2488	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2488	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2504	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2504	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2504	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2504	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2516	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2516	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2516	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe
PID 3016 wrote to memory of 2516	3016	36dc266ad1ea8df0139336871.exe	36dc266ad1ea8df0139336871.exe

C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
"C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  C:\Users\Admin\AppData\Local\Temp\36dc266ad1ea8df0139336871.exe
  2⤵
  PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-54-0x00000000001F0000-0x0000000000574000-memory.dmp

Filesize
3.5MB

Download
memory/3016-55-0x0000000004AD0000-0x0000000004B9C000-memory.dmp

Filesize
816KB

Download
memory/3016-56-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-57-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-59-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-61-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-65-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-63-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-67-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-69-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-71-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-73-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-75-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-77-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-79-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-81-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-84-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-83-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/3016-86-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-88-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-90-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-92-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-94-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-96-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-98-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-100-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-102-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-104-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-106-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-108-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-110-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-112-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-114-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-116-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-118-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-120-0x0000000004AD0000-0x0000000004B97000-memory.dmp

Filesize
796KB

Download
memory/3016-1379-0x00000000007F0000-0x0000000000822000-memory.dmp

Filesize
200KB

Download
memory/3016-1380-0x0000000000B10000-0x0000000000B5C000-memory.dmp

Filesize
304KB

Download
memory/3016-1381-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download