81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe
Size

837KB
MD5

b458e336911f092177a64d07b0bf1c76
SHA1

53c66117a6f17e2d76b7a8a658f1ff0773516081
SHA256

81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2
SHA512

2b19cd8e173543449711bbb5f829096688ef688240a68a2021b622ccbdbad53559e171d38b161f71c9585ed58e0871b6fc7d98dc52bd4e36f3435fd11e8621c4
SSDEEP

24576:8II1yp0tk0TdMil1iD5Fk8C1LGF6KXcA9:VS1k0JleFk82CF5d

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	whoami.exe
Token: SeDebugPrivilege	1036	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2540	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe
Token: SeDebugPrivilege	2144	whoami.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 1592	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	85
PID 212 wrote to memory of 1592	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	85
PID 1592 wrote to memory of 3048	1592	cmd.exe	87
PID 1592 wrote to memory of 3048	1592	cmd.exe	87
PID 212 wrote to memory of 2948	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	88
PID 212 wrote to memory of 2948	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	88
PID 2948 wrote to memory of 1152	2948	cmd.exe	90
PID 2948 wrote to memory of 1152	2948	cmd.exe	90
PID 212 wrote to memory of 988	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	91
PID 212 wrote to memory of 988	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	91
PID 988 wrote to memory of 880	988	cmd.exe	93
PID 988 wrote to memory of 880	988	cmd.exe	93
PID 212 wrote to memory of 3256	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	94
PID 212 wrote to memory of 3256	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	94
PID 3256 wrote to memory of 3948	3256	cmd.exe	96
PID 3256 wrote to memory of 3948	3256	cmd.exe	96
PID 212 wrote to memory of 4896	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	97
PID 212 wrote to memory of 4896	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	97
PID 4896 wrote to memory of 1036	4896	cmd.exe	99
PID 4896 wrote to memory of 1036	4896	cmd.exe	99
PID 212 wrote to memory of 2036	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	100
PID 212 wrote to memory of 2036	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	100
PID 2036 wrote to memory of 2540	2036	cmd.exe	102
PID 2036 wrote to memory of 2540	2036	cmd.exe	102
PID 212 wrote to memory of 1108	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	103
PID 212 wrote to memory of 1108	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	103
PID 1108 wrote to memory of 2024	1108	cmd.exe	105
PID 1108 wrote to memory of 2024	1108	cmd.exe	105
PID 212 wrote to memory of 3840	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	106
PID 212 wrote to memory of 3840	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	106
PID 3840 wrote to memory of 4908	3840	cmd.exe	108
PID 3840 wrote to memory of 4908	3840	cmd.exe	108
PID 212 wrote to memory of 4428	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	109
PID 212 wrote to memory of 4428	212	81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe	109
PID 4428 wrote to memory of 2144	4428	cmd.exe	112
PID 4428 wrote to memory of 2144	4428	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe
"C:\Users\Admin\AppData\Local\Temp\81cd6e1c6e1f9400e31b122dfa2c7acf274192ec560a9d29190a70abd04b20e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /upn 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\whoami.exe
    whoami /upn
    3⤵
    PID:1152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /fqdn 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\system32\whoami.exe
    whoami /fqdn
    3⤵
    PID:880
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /logonid 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\system32\whoami.exe
    whoami /logonid
    3⤵
    PID:3948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /user 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\whoami.exe
    whoami /user
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /groups 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\whoami.exe
    whoami /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /claims 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\system32\whoami.exe
    whoami /claims
    3⤵
    PID:2024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /priv 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\system32\whoami.exe
    whoami /priv
    3⤵
    PID:4908
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c whoami /all 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\system32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2144

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads