78ef2d251ac467c2afdf79028a7837b8f474c77aa239df3a447aeec15e03ed44

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-07-2023 08:40

Target

a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.exe
Size

54.0MB
MD5

bc42b880b739a593ce7f928baf8c88a7
SHA1

024a49c3f78bda53addea05fb5ecba603a94fc5f
SHA256

a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8
SHA512

09a61d73eb2f0e98c0dd45400978aba55928c8d44bdad1ea0d849562c4a3654696042e8aedd5f3f34b51233451ac83a60c4aefc805e6629a75b84eac615d926a
SSDEEP

49152:c5KlHlofM5oOLGQRJl4CFFs89MwuPbpuPbpuPbpuPbpuPbpuPbpuPbpuPbpuPbpQ:ckH2k5oO7h379l

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2780 powershell.exe
2780 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2780 powershell.exe

pid	process
2780	powershell.exe
2780	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.execmd.execmd.exe

description	pid	process	target process
PID 2604 wrote to memory of 2864	2604	a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.exe	cmd.exe
PID 2604 wrote to memory of 2864	2604	a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.exe	cmd.exe
PID 2604 wrote to memory of 2864	2604	a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.exe	cmd.exe
PID 2604 wrote to memory of 2864	2604	a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.exe	cmd.exe
PID 2864 wrote to memory of 2764	2864	cmd.exe	cmd.exe
PID 2864 wrote to memory of 2764	2864	cmd.exe	cmd.exe
PID 2864 wrote to memory of 2764	2864	cmd.exe	cmd.exe
PID 2864 wrote to memory of 2764	2864	cmd.exe	cmd.exe
PID 2764 wrote to memory of 2780	2764	cmd.exe	powershell.exe
PID 2764 wrote to memory of 2780	2764	cmd.exe	powershell.exe
PID 2764 wrote to memory of 2780	2764	cmd.exe	powershell.exe
PID 2764 wrote to memory of 2780	2764	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.exe
"C:\Users\Admin\AppData\Local\Temp\a97316f79390a1e1c5e26bed12d55121324b0333105f71b1cdf8f35c8f1995c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Survivor & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780

C:\Users\Admin\AppData\Local\Temp\40514\Survivor

Filesize
17KB

MD5
dcb9b5d55e854a4fd10565be9429e6af

SHA1
904e345de259a9f4032b134fc8469d8c8ccc2c53

SHA256
95f4f4cddaa42fdd8c54ba63b757b007fc75bce4f18c8dcf9512669d5e3c08a1

SHA512
68b84c25b8971e09adca0acb9c1bdea2b9a01c790389225c7a78e77a51616efdcd7273762cc3ce085e2811378ac3240c4fe8c42e3eb40909a12d94c2dee6cd34

Download Submit
memory/2604-53-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2604-77-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2780-73-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-72-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-75-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2780-74-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2780-76-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download