f7b372825e20fb9e6c038cc2f67aebbcc4bebbe2bdef97c7dec09933d6aa4419

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE.exe
Size

852KB
MD5

d1cd47f7c1b362dd9f478ad795596180
SHA1

629f14639425f40e3ad081e4fcb0b4238e4f40d1
SHA256

325af2369691a45f5421d141a8b4e7d5a1a1bc28bce159ccc421daabaec846fe
SHA512

df80b30f5822bc106cc3781609ffdc922faa4d5496ae2b20d6e85f0bbd0d63b7b44f39a61e0dd63ee6467aa5dc147d04466e74a491677bd8bb6f65e7a168b1b3
SSDEEP

24576:Fo/thewlqB6p9+KJHHxQcRy93RvsB3VuCXdY:6e2q8p93Qb93R03n

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2496	3000	PURCHASE.exe	30

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe
2496	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	MSBuild.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2496	3000	PURCHASE.exe	30
PID 3000 wrote to memory of 2496	3000	PURCHASE.exe	30
PID 3000 wrote to memory of 2496	3000	PURCHASE.exe	30
PID 3000 wrote to memory of 2496	3000	PURCHASE.exe	30
PID 3000 wrote to memory of 2496	3000	PURCHASE.exe	30
PID 3000 wrote to memory of 2496	3000	PURCHASE.exe	30
PID 3000 wrote to memory of 2496	3000	PURCHASE.exe	30

C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2496-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-69-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/2496-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-65-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-58-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-62-0x0000000002460000-0x00000000024B2000-memory.dmp

Filesize
328KB

Download
memory/3000-61-0x0000000007FD0000-0x000000000805A000-memory.dmp

Filesize
552KB

Download
memory/3000-60-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/3000-59-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/3000-54-0x0000000000F80000-0x000000000105A000-memory.dmp

Filesize
872KB

Download
memory/3000-57-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/3000-68-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-56-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/3000-55-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download