8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09

Analysis

max time kernel
147s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe
Size

62KB
MD5

afb5cb7872e1e15ccda5de2ee406947d
SHA1

6342e47ff907e9f4f51fd599a6347156b2fe24e3
SHA256

8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09
SHA512

d67c9ce4573ce9cf46c41f65af494d8cf8a9c3bdc17b5ff06180ce8a35bf974c3177218af52b60c21d7c9c257f2ae34396d35bbbe79bb5d2976a91bf787eec0a
SSDEEP

768:iys4UQyEqmqAivieRl7wHjVwPd8Ni7ClGFJKd:miyEqmsxzujwZrF6

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1892	2184	8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe	29
PID 2184 wrote to memory of 1892	2184	8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe	29
PID 2184 wrote to memory of 1892	2184	8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe	29
PID 1892 wrote to memory of 1948	1892	cmd.exe	30
PID 1892 wrote to memory of 1948	1892	cmd.exe	30
PID 1892 wrote to memory of 1948	1892	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe
"C:\Users\Admin\AppData\Local\Temp\8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\temps1\temp1.ps1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\temps1\temp1.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\temps1\temp1.ps1

Filesize
2KB

MD5
e49a22252b02a1796bf77391c7d9899e

SHA1
6f53d28310d135fa33ada71516f63a4bfa10f3a8

SHA256
af012b7fd89a629ee7342219148f9ceacd89d0bbb628a7c085de848d71555588

SHA512
dd514b5be4033a327a7bf904405f5d20e2860efd949a499e35e3f9b311716fe594f596362888e471d57050b1e85b9143ff39f2b7120888ddcac1f95d7666eeda

Download Submit
memory/1948-11-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1948-13-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1948-7-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1948-9-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1948-6-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1948-5-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/1948-12-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1948-8-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1948-14-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1948-15-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1948-16-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1948-17-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1948-19-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2184-18-0x000000013F0F0000-0x000000013F105000-memory.dmp

Filesize
84KB

Download