ceb0b34bf3d2f9ef826aefe57e9f1c599925a5c57cb35425a5af808c5f1a979b

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-07-2023 05:46

Target

77fe3e6231388c1b5c97c89044117aa5.exe
Size

1.1MB
MD5

77fe3e6231388c1b5c97c89044117aa5
SHA1

42fe4de17b9121fd7364eaccbd0f1e356424f520
SHA256

ceb0b34bf3d2f9ef826aefe57e9f1c599925a5c57cb35425a5af808c5f1a979b
SHA512

9266e30f5a70ff824f1d266172dbc1cc3074d6b58722010c1451203b223cdaf9f33e811187fe7a57aa147714869044e9358faac63c904dbf4d1dd37dc17f400d
SSDEEP

24576:Lki4YGb0KwdK2JZMHyfv5Y5uqwgRDOiz4nBY:Lki4V0VDUIy5X9RDOk4ni

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2232 powershell.exe
2232 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2232 powershell.exe

pid	process
2232	powershell.exe
2232	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2232	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

77fe3e6231388c1b5c97c89044117aa5.execmd.execmd.exe

description	pid	process	target process
PID 540 wrote to memory of 528	540	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 540 wrote to memory of 528	540	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 540 wrote to memory of 528	540	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 540 wrote to memory of 528	540	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 528 wrote to memory of 1080	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 1080	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 1080	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 1080	528	cmd.exe	cmd.exe
PID 1080 wrote to memory of 2232	1080	cmd.exe	powershell.exe
PID 1080 wrote to memory of 2232	1080	cmd.exe	powershell.exe
PID 1080 wrote to memory of 2232	1080	cmd.exe	powershell.exe
PID 1080 wrote to memory of 2232	1080	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\77fe3e6231388c1b5c97c89044117aa5.exe
"C:\Users\Admin\AppData\Local\Temp\77fe3e6231388c1b5c97c89044117aa5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Risks & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2232

C:\Users\Admin\AppData\Local\Temp\58064\Risks

Filesize
13KB

MD5
e74236fa208e387cdd549b8d295d4480

SHA1
c724a51ea18f46f4295642b87aaa751cd7b101da

SHA256
8bff8d976d2743def2fc1a3341295375e055eb39ed218a1bf76d039787e48ab6

SHA512
18b90db00fef174ec94ef3218e024f421fa8cca267e68c41f609ea5fbeafe818285956324fe396b3e0ba0de925ff01fb71237520b5e2ed477af8ef2c92e9c7b3

Download Submit
memory/540-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/540-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2232-66-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-67-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-68-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-69-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2232-70-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2232-71-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2232-72-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download