81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2

Analysis

max time kernel
132s
max time network
136s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe
Size

837KB
MD5

b458e336911f092177a64d07b0bf1c76
SHA1

53c66117a6f17e2d76b7a8a658f1ff0773516081
SHA256

81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2
SHA512

2b19cd8e173543449711bbb5f829096688ef688240a68a2021b622ccbdbad53559e171d38b161f71c9585ed58e0871b6fc7d98dc52bd4e36f3435fd11e8621c4
SSDEEP

24576:8II1yp0tk0TdMil1iD5Fk8C1LGF6KXcA9:VS1k0JleFk82CF5d

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	whoami.exe
Token: SeDebugPrivilege	2716	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2812	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe
Token: SeDebugPrivilege	2232	whoami.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2108	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	28
PID 2120 wrote to memory of 2108	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	28
PID 2120 wrote to memory of 2108	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	28
PID 2108 wrote to memory of 2648	2108	cmd.exe	30
PID 2108 wrote to memory of 2648	2108	cmd.exe	30
PID 2108 wrote to memory of 2648	2108	cmd.exe	30
PID 2120 wrote to memory of 2024	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	31
PID 2120 wrote to memory of 2024	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	31
PID 2120 wrote to memory of 2024	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	31
PID 2024 wrote to memory of 1748	2024	cmd.exe	33
PID 2024 wrote to memory of 1748	2024	cmd.exe	33
PID 2024 wrote to memory of 1748	2024	cmd.exe	33
PID 2120 wrote to memory of 2748	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	34
PID 2120 wrote to memory of 2748	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	34
PID 2120 wrote to memory of 2748	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	34
PID 2748 wrote to memory of 2412	2748	cmd.exe	36
PID 2748 wrote to memory of 2412	2748	cmd.exe	36
PID 2748 wrote to memory of 2412	2748	cmd.exe	36
PID 2120 wrote to memory of 2704	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	37
PID 2120 wrote to memory of 2704	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	37
PID 2120 wrote to memory of 2704	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	37
PID 2704 wrote to memory of 2768	2704	cmd.exe	39
PID 2704 wrote to memory of 2768	2704	cmd.exe	39
PID 2704 wrote to memory of 2768	2704	cmd.exe	39
PID 2120 wrote to memory of 2788	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	40
PID 2120 wrote to memory of 2788	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	40
PID 2120 wrote to memory of 2788	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	40
PID 2788 wrote to memory of 2716	2788	cmd.exe	42
PID 2788 wrote to memory of 2716	2788	cmd.exe	42
PID 2788 wrote to memory of 2716	2788	cmd.exe	42
PID 2120 wrote to memory of 2784	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	43
PID 2120 wrote to memory of 2784	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	43
PID 2120 wrote to memory of 2784	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	43
PID 2784 wrote to memory of 2812	2784	cmd.exe	45
PID 2784 wrote to memory of 2812	2784	cmd.exe	45
PID 2784 wrote to memory of 2812	2784	cmd.exe	45
PID 2120 wrote to memory of 2696	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	46
PID 2120 wrote to memory of 2696	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	46
PID 2120 wrote to memory of 2696	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	46
PID 2696 wrote to memory of 2928	2696	cmd.exe	48
PID 2696 wrote to memory of 2928	2696	cmd.exe	48
PID 2696 wrote to memory of 2928	2696	cmd.exe	48
PID 2120 wrote to memory of 2680	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	49
PID 2120 wrote to memory of 2680	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	49
PID 2120 wrote to memory of 2680	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	49
PID 2680 wrote to memory of 2652	2680	cmd.exe	51
PID 2680 wrote to memory of 2652	2680	cmd.exe	51
PID 2680 wrote to memory of 2652	2680	cmd.exe	51
PID 2120 wrote to memory of 2588	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	52
PID 2120 wrote to memory of 2588	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	52
PID 2120 wrote to memory of 2588	2120	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	52
PID 2588 wrote to memory of 2232	2588	cmd.exe	54
PID 2588 wrote to memory of 2232	2588	cmd.exe	54
PID 2588 wrote to memory of 2232	2588	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe
"C:\Users\Admin\AppData\Local\Temp\81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /upn 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\whoami.exe
    whoami /upn
    3⤵
    PID:1748
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /fqdn 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\whoami.exe
    whoami /fqdn
    3⤵
    PID:2412
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /logonid 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\whoami.exe
    whoami /logonid
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /user 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\whoami.exe
    whoami /user
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /groups 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\whoami.exe
    whoami /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /claims 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\whoami.exe
    whoami /claims
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /priv 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\whoami.exe
    whoami /priv
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd.exe /c whoami /all 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2232

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads