95d646959e53e56f07dad3309366b8e9ce6355881ceeeac17e4254fbc1d2f30e

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 12:46

Target

sample/Pre_Satup1_Activate.exe
Size

66.0MB
MD5

60c266e24923ebb2f88f2e29d45cc553
SHA1

893fa582caeca62faf5fccce950f5b654ef339c5
SHA256

d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e
SHA512

e2c87a7c2fa8a3f07fff03505592c74a5528249c40e40573deb2a5dfc2961a99ac6f4d28324982555f7296d706901940f66e6a85e25a4492d42f1e674943fd15
SSDEEP

12288:cTSptB012lD9Gx/4fj0gcSyGD8Apjl4IWQAqOs/Dq1tXLi1CBpojCSguSYrsE1EP:cTam2bGwPc651uI9BCXhcjCSRrNgougc

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2228 powershell.exe
2228 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2228 powershell.exe

pid	process
2228	powershell.exe
2228	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2228	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Pre_Satup1_Activate.execmd.execmd.exe

description	pid	process	target process
PID 2272 wrote to memory of 2200	2272	Pre_Satup1_Activate.exe	cmd.exe
PID 2272 wrote to memory of 2200	2272	Pre_Satup1_Activate.exe	cmd.exe
PID 2272 wrote to memory of 2200	2272	Pre_Satup1_Activate.exe	cmd.exe
PID 2272 wrote to memory of 2200	2272	Pre_Satup1_Activate.exe	cmd.exe
PID 2200 wrote to memory of 2576	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 2576	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 2576	2200	cmd.exe	cmd.exe
PID 2200 wrote to memory of 2576	2200	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2228	2576	cmd.exe	powershell.exe
PID 2576 wrote to memory of 2228	2576	cmd.exe	powershell.exe
PID 2576 wrote to memory of 2228	2576	cmd.exe	powershell.exe
PID 2576 wrote to memory of 2228	2576	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\sample\Pre_Satup1_Activate.exe
"C:\Users\Admin\AppData\Local\Temp\sample\Pre_Satup1_Activate.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Childhood & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2228

C:\Users\Admin\AppData\Local\Temp\979\Childhood

Filesize
13KB

MD5
4247653db82d81645c04ee8f612d05b7

SHA1
2f3afb842618e52a0f8bac6d7e8cfb2fa42e91a7

SHA256
df9b5274ee9c66fa4d4551e7d66395943994dc860741eb94a51d3063a85bb841

SHA512
e7eb936c2e4e2d7e3472696a8ed617958f66698deef0effe6737e95851b8d3176ff47ba684ec7bf985328f1688da6476052a87a535a0d9c644a73692fecb0b9e

Download Submit
memory/2228-68-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/2228-69-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/2228-70-0x00000000024D0000-0x0000000002510000-memory.dmp

Filesize
256KB

Download
memory/2228-71-0x00000000024D0000-0x0000000002510000-memory.dmp

Filesize
256KB

Download
memory/2228-74-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/2272-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2272-72-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2272-73-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2272-75-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download