Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
28/08/2023, 17:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99.exe
Resource
win7-20230712-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
99.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
99.exe
-
Size
2.0MB
-
MD5
31dd671d3aceab33bccb2f206ad4bf0f
-
SHA1
e8915bdc95e075c90816de5ff7dbda3f65c79ca8
-
SHA256
626ba93e37340cf76db45d4d05926ccfcc4f9e8bcc7c6628054843944042a0fb
-
SHA512
beeee1d9c9ada7f0cb83f5cfe602ca1483e4a3c2679a5fe4090aa08eda5ed99e33cf247b512176c6bef1a8924b8495bb9af5a096919ac6dd890c509a417a3288
-
SSDEEP
49152:OIRlp97ZF1KBl6bBjuyFWANKQ8yE8OEBhn:t1q6btuyBybE
Score
1/10
Malware Config
Signatures
-
Kills process with taskkill 7 IoCs
pid Process 2724 taskkill.exe 2832 taskkill.exe 2860 taskkill.exe 2864 taskkill.exe 2720 taskkill.exe 2968 taskkill.exe 2896 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe 2208 99.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2208 99.exe Token: SeSystemtimePrivilege 2208 99.exe Token: SeDebugPrivilege 2208 99.exe Token: SeDebugPrivilege 2896 taskkill.exe Token: SeDebugPrivilege 2860 taskkill.exe Token: SeDebugPrivilege 2864 taskkill.exe Token: SeDebugPrivilege 2968 taskkill.exe Token: SeDebugPrivilege 2724 taskkill.exe Token: SeDebugPrivilege 2720 taskkill.exe Token: SeDebugPrivilege 2832 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2208 99.exe 2208 99.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2020 2208 99.exe 28 PID 2208 wrote to memory of 2020 2208 99.exe 28 PID 2208 wrote to memory of 2020 2208 99.exe 28 PID 2208 wrote to memory of 2020 2208 99.exe 28 PID 2208 wrote to memory of 2308 2208 99.exe 29 PID 2208 wrote to memory of 2308 2208 99.exe 29 PID 2208 wrote to memory of 2308 2208 99.exe 29 PID 2208 wrote to memory of 2308 2208 99.exe 29 PID 2208 wrote to memory of 2824 2208 99.exe 32 PID 2208 wrote to memory of 2824 2208 99.exe 32 PID 2208 wrote to memory of 2824 2208 99.exe 32 PID 2208 wrote to memory of 2824 2208 99.exe 32 PID 2208 wrote to memory of 2952 2208 99.exe 33 PID 2208 wrote to memory of 2952 2208 99.exe 33 PID 2208 wrote to memory of 2952 2208 99.exe 33 PID 2208 wrote to memory of 2952 2208 99.exe 33 PID 2208 wrote to memory of 2948 2208 99.exe 34 PID 2208 wrote to memory of 2948 2208 99.exe 34 PID 2208 wrote to memory of 2948 2208 99.exe 34 PID 2208 wrote to memory of 2948 2208 99.exe 34 PID 2208 wrote to memory of 1988 2208 99.exe 37 PID 2208 wrote to memory of 1988 2208 99.exe 37 PID 2208 wrote to memory of 1988 2208 99.exe 37 PID 2208 wrote to memory of 1988 2208 99.exe 37 PID 2208 wrote to memory of 2820 2208 99.exe 40 PID 2208 wrote to memory of 2820 2208 99.exe 40 PID 2208 wrote to memory of 2820 2208 99.exe 40 PID 2208 wrote to memory of 2820 2208 99.exe 40 PID 2824 wrote to memory of 2896 2824 cmd.exe 44 PID 2824 wrote to memory of 2896 2824 cmd.exe 44 PID 2824 wrote to memory of 2896 2824 cmd.exe 44 PID 2824 wrote to memory of 2896 2824 cmd.exe 44 PID 2952 wrote to memory of 2720 2952 cmd.exe 42 PID 2952 wrote to memory of 2720 2952 cmd.exe 42 PID 2952 wrote to memory of 2720 2952 cmd.exe 42 PID 2952 wrote to memory of 2720 2952 cmd.exe 42 PID 2308 wrote to memory of 2724 2308 cmd.exe 45 PID 2308 wrote to memory of 2724 2308 cmd.exe 45 PID 2308 wrote to memory of 2724 2308 cmd.exe 45 PID 2308 wrote to memory of 2724 2308 cmd.exe 45 PID 2948 wrote to memory of 2968 2948 cmd.exe 43 PID 2948 wrote to memory of 2968 2948 cmd.exe 43 PID 2948 wrote to memory of 2968 2948 cmd.exe 43 PID 2948 wrote to memory of 2968 2948 cmd.exe 43 PID 2020 wrote to memory of 2832 2020 cmd.exe 46 PID 2020 wrote to memory of 2832 2020 cmd.exe 46 PID 2020 wrote to memory of 2832 2020 cmd.exe 46 PID 2020 wrote to memory of 2832 2020 cmd.exe 46 PID 1988 wrote to memory of 2860 1988 cmd.exe 47 PID 1988 wrote to memory of 2860 1988 cmd.exe 47 PID 1988 wrote to memory of 2860 1988 cmd.exe 47 PID 1988 wrote to memory of 2860 1988 cmd.exe 47 PID 2820 wrote to memory of 2864 2820 cmd.exe 48 PID 2820 wrote to memory of 2864 2820 cmd.exe 48 PID 2820 wrote to memory of 2864 2820 cmd.exe 48 PID 2820 wrote to memory of 2864 2820 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\99.exe"C:\Users\Admin\AppData\Local\Temp\99.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ÉϺÅÆ÷.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ÉϺÅÆ÷.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ÉϺÅÆ÷.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ÉϺÅÆ÷.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ÉϺÅÆ÷.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ÉϺÅÆ÷.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ÉϺÅÆ÷.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ÉϺÅÆ÷.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ÉϺÅÆ÷.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ÉϺÅÆ÷.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ÉϺÅÆ÷.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ÉϺÅÆ÷.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ÉϺÅÆ÷.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ÉϺÅÆ÷.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-