fc8befbb2ee38e34194117a2efb43e9cc37eb7f631592372103b81bc0cb428bb

Analysis

max time kernel
125s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2023, 07:28

Target

fc8befbb2ee38e34194117a2efb43e9cc37eb7f631592372103b81bc0cb428bb.exe
Size

780KB
MD5

ef6bc690ed8b678430f07299837d1d3a
SHA1

882fe7d32066d37060205654801cb5b1a4732220
SHA256

fc8befbb2ee38e34194117a2efb43e9cc37eb7f631592372103b81bc0cb428bb
SHA512

c2cba6f6e77f55355c4cbd4b04a92a1eea89293a32c8644bbe507f74f87dd64b9ffacb250c4f6676dfa5f2b36e98de01061b71602204b257d967eb69400f3b53
SSDEEP

6144:WnqWd4vwVTSFQvPh9pNFYA7ZLuSRlDwcugHx9e2v827zxs2EazeEnFLsS4L77GKj:eqWdgGPBNFYA5uWw2nfx+LrbLvf

Score

1^/10

Kills process with taskkill 1 IoCs

evasion

pid	Process
2924	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 800	4600	fc8befbb2ee38e34194117a2efb43e9cc37eb7f631592372103b81bc0cb428bb.exe	83
PID 4600 wrote to memory of 800	4600	fc8befbb2ee38e34194117a2efb43e9cc37eb7f631592372103b81bc0cb428bb.exe	83
PID 800 wrote to memory of 2924	800	cmd.exe	84
PID 800 wrote to memory of 2924	800	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\fc8befbb2ee38e34194117a2efb43e9cc37eb7f631592372103b81bc0cb428bb.exe
"C:\Users\Admin\AppData\Local\Temp\fc8befbb2ee38e34194117a2efb43e9cc37eb7f631592372103b81bc0cb428bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\system32\cmd.exe
  "cmd" /C "taskkill /IM wei-updater.exe.exe /F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\system32\taskkill.exe
    taskkill /IM wei-updater.exe.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924