3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 04:51

Target

tmp.exe
Size

673KB
MD5

86841a1ccb8603fd4c5f44ab5f978d4d
SHA1

00c814bca41e7da4e5694534dbafa6201484bc4e
SHA256

3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d
SHA512

519aa6b845a12d3f3a0b7cb6654796f2c08ea6f0912a9a1490fef52a39e535bfb57e44f7e19b974a3cd4e4ae6d185681de464a7924faf9511e6a4ff6abee425d
SSDEEP

12288:FrD6UaPEy03p4YIWo4FhXf0fDT2akV4+dcWTWNH5AyLY/VZ0K:1D/PJnIWo47p4QdTs5DYNWK

Score

1^/10

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	tmp.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2652	2416	tmp.exe	28
PID 2416 wrote to memory of 2652	2416	tmp.exe	28
PID 2416 wrote to memory of 2652	2416	tmp.exe	28
PID 2416 wrote to memory of 2652	2416	tmp.exe	28
PID 2416 wrote to memory of 2776	2416	tmp.exe	29
PID 2416 wrote to memory of 2776	2416	tmp.exe	29
PID 2416 wrote to memory of 2776	2416	tmp.exe	29
PID 2416 wrote to memory of 2776	2416	tmp.exe	29
PID 2416 wrote to memory of 2604	2416	tmp.exe	30
PID 2416 wrote to memory of 2604	2416	tmp.exe	30
PID 2416 wrote to memory of 2604	2416	tmp.exe	30
PID 2416 wrote to memory of 2604	2416	tmp.exe	30
PID 2416 wrote to memory of 2896	2416	tmp.exe	31
PID 2416 wrote to memory of 2896	2416	tmp.exe	31
PID 2416 wrote to memory of 2896	2416	tmp.exe	31
PID 2416 wrote to memory of 2896	2416	tmp.exe	31
PID 2416 wrote to memory of 2696	2416	tmp.exe	32
PID 2416 wrote to memory of 2696	2416	tmp.exe	32
PID 2416 wrote to memory of 2696	2416	tmp.exe	32
PID 2416 wrote to memory of 2696	2416	tmp.exe	32

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:2696

memory/2416-0-0x0000000000380000-0x000000000042E000-memory.dmp

Filesize
696KB

Download
memory/2416-1-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-3-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/2416-4-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/2416-5-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/2416-6-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2416-7-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2416-8-0x00000000057C0000-0x000000000583C000-memory.dmp

Filesize
496KB

Download
memory/2416-9-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download