9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
04-08-2023 11:56

Target

9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.exe
Size

66.0MB
MD5

25e6268a78891921d2046a0fbfb7d0ba
SHA1

45c4edbbaa404bd6b00e6493a98e8e505ae6c33d
SHA256

9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe
SHA512

d5e81098b9419b12ebd8b22c30604aa393ce4235c2b1575036dff5e229411fa866f8eb416f53e01d767f5ffd72ada5ae850138a5633f85cdbce8412d636a2171
SSDEEP

24576:s+tsx1pzI5sVbdqjTDo8VyRc/uOgv0mRUorn+FzQXXXXXXXXXXXXXXXXXXXXXXXX:s+mxvwsVIzecGOgcmRUIn+Fz

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2248 powershell.exe
2248 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2248 powershell.exe

pid	process
2248	powershell.exe
2248	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2248	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.execmd.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1916	2000	9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.exe	cmd.exe
PID 2000 wrote to memory of 1916	2000	9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.exe	cmd.exe
PID 2000 wrote to memory of 1916	2000	9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.exe	cmd.exe
PID 2000 wrote to memory of 1916	2000	9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.exe	cmd.exe
PID 1916 wrote to memory of 1904	1916	cmd.exe	cmd.exe
PID 1916 wrote to memory of 1904	1916	cmd.exe	cmd.exe
PID 1916 wrote to memory of 1904	1916	cmd.exe	cmd.exe
PID 1916 wrote to memory of 1904	1916	cmd.exe	cmd.exe
PID 1904 wrote to memory of 2248	1904	cmd.exe	powershell.exe
PID 1904 wrote to memory of 2248	1904	cmd.exe	powershell.exe
PID 1904 wrote to memory of 2248	1904	cmd.exe	powershell.exe
PID 1904 wrote to memory of 2248	1904	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.exe
"C:\Users\Admin\AppData\Local\Temp\9c948194834768daeef3f6d8c86d456e643d2e026adc588ff7261640b4905fbe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Petite & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2248

C:\Users\Admin\AppData\Local\Temp\46707\Petite

Filesize
15KB

MD5
c3f50f45bb9d33fdc832b64e2adff19d

SHA1
c2dab52960fa395b509659d537b43fc00c9b26f5

SHA256
ccd716e1d6dafb546465b64261d390affe8e80dc61af9a04aaeabc708c137b5b

SHA512
15414b9fab4749e94cb53b9421f7173ce5a1b6c4a2dad8c8a34b2af521a608e269c3731551476df046c8180e98ba564b5f0fcdb90220971034ce84a3a99f0bf7

Download Submit
memory/2000-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2000-74-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2248-70-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2248-71-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2248-72-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2248-73-0x0000000073700000-0x0000000073CAB000-memory.dmp

Filesize
5.7MB

Download