Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
18/08/2023, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe
Resource
win7-20230712-en
General
-
Target
d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe
-
Size
1.4MB
-
MD5
9ef1ba6758ea23950360a34b1e4b0bb0
-
SHA1
45612825204597bb913a0f816bc2e3f2ca47e449
-
SHA256
d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997
-
SHA512
190a469ed4acd8187c02e28b1a77ec05ca23b31703b2bad81fda2254af4d9e7c6169fe48ce0d08b68fba78657dad5152c5d05970341fe3797f0dc4a5de88f7dc
-
SSDEEP
24576:scvn1hCiZ+8BuR2vDOlLIHzF1/szzpftNfd:scvnPDyR2fT3szz1X1
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2340 powershell.exe 2340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2340 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1608 2220 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe 30 PID 2220 wrote to memory of 1608 2220 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe 30 PID 2220 wrote to memory of 1608 2220 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe 30 PID 2220 wrote to memory of 1608 2220 d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe 30 PID 1608 wrote to memory of 2096 1608 cmd.exe 32 PID 1608 wrote to memory of 2096 1608 cmd.exe 32 PID 1608 wrote to memory of 2096 1608 cmd.exe 32 PID 1608 wrote to memory of 2096 1608 cmd.exe 32 PID 2096 wrote to memory of 2340 2096 cmd.exe 33 PID 2096 wrote to memory of 2340 2096 cmd.exe 33 PID 2096 wrote to memory of 2340 2096 cmd.exe 33 PID 2096 wrote to memory of 2340 2096 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe"C:\Users\Admin\AppData\Local\Temp\d7a133c378e6af60b98144f04c39206f871941f944c04dafaba607f5f77bc997.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /k cmd < Anyone & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5ee82d316318b3bb19e2a1aa13cfde12d
SHA183ae8b583212041c75c49c11947443c57d99ebc9
SHA256ba1aa96299673031f84d6a589c990e8e4ee97f8755d40aa0caa1837e8c4b1730
SHA512fef62456632d5d8579c174a137ba3eeed537885f41e550505abf90a9ecf60663fb584624343697fda1d0ba43ea200e2c552d495d0df475d61c1e1691da09e88d