c88aeb0fb3b2e793a08caf2c040c24e1f5b6eddec61c22b484862d4428a0af03

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TokenBroker.exe
Size

450KB
MD5

62adf1c05748656fce6bbb99a4e0d517
SHA1

ff2dcb97c76aab26334fe031c3a0e7c0e4b94f25
SHA256

c88aeb0fb3b2e793a08caf2c040c24e1f5b6eddec61c22b484862d4428a0af03
SHA512

6f92de67a16081ec9954b44821cd06ea1facf7877196413ff76c028bf359a8ab486b34a82da74b20364524b0bdbc4949e0197fce14e7f4e7776b794d6ae98a9a
SSDEEP

12288:SAzy+91FLh+moqhjdzADZMdTy+mevAKuBsEYYYNxnz:SAzy+H/jdzyZStf9uEZz

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 2780	680	TokenBroker.exe	92
PID 680 wrote to memory of 2780	680	TokenBroker.exe	92
PID 2780 wrote to memory of 2664	2780	TokenBroker.exe	93
PID 2780 wrote to memory of 2664	2780	TokenBroker.exe	93
PID 2664 wrote to memory of 3608	2664	TokenBroker.exe	96
PID 2664 wrote to memory of 3608	2664	TokenBroker.exe	96
PID 3608 wrote to memory of 5080	3608	TokenBroker.exe	97
PID 3608 wrote to memory of 5080	3608	TokenBroker.exe	97
PID 5080 wrote to memory of 3368	5080	TokenBroker.exe	98
PID 5080 wrote to memory of 3368	5080	TokenBroker.exe	98
PID 3368 wrote to memory of 4948	3368	TokenBroker.exe	99
PID 3368 wrote to memory of 4948	3368	TokenBroker.exe	99
PID 4948 wrote to memory of 1688	4948	TokenBroker.exe	101
PID 4948 wrote to memory of 1688	4948	TokenBroker.exe	101
PID 1688 wrote to memory of 4876	1688	TokenBroker.exe	102
PID 1688 wrote to memory of 4876	1688	TokenBroker.exe	102
PID 4876 wrote to memory of 2472	4876	TokenBroker.exe	103
PID 4876 wrote to memory of 2472	4876	TokenBroker.exe	103
PID 2472 wrote to memory of 2932	2472	TokenBroker.exe	104
PID 2472 wrote to memory of 2932	2472	TokenBroker.exe	104
PID 2932 wrote to memory of 3140	2932	TokenBroker.exe	105
PID 2932 wrote to memory of 3140	2932	TokenBroker.exe	105
PID 3140 wrote to memory of 4928	3140	TokenBroker.exe	106
PID 3140 wrote to memory of 4928	3140	TokenBroker.exe	106
PID 4928 wrote to memory of 5068	4928	TokenBroker.exe	107
PID 4928 wrote to memory of 5068	4928	TokenBroker.exe	107
PID 5068 wrote to memory of 2464	5068	TokenBroker.exe	108
PID 5068 wrote to memory of 2464	5068	TokenBroker.exe	108
PID 2464 wrote to memory of 3940	2464	TokenBroker.exe	109
PID 2464 wrote to memory of 3940	2464	TokenBroker.exe	109
PID 3940 wrote to memory of 4760	3940	TokenBroker.exe	110
PID 3940 wrote to memory of 4760	3940	TokenBroker.exe	110
PID 4760 wrote to memory of 4372	4760	TokenBroker.exe	111
PID 4760 wrote to memory of 4372	4760	TokenBroker.exe	111
PID 4372 wrote to memory of 1428	4372	TokenBroker.exe	112
PID 4372 wrote to memory of 1428	4372	TokenBroker.exe	112
PID 1428 wrote to memory of 3800	1428	TokenBroker.exe	113
PID 1428 wrote to memory of 3800	1428	TokenBroker.exe	113
PID 3800 wrote to memory of 1284	3800	TokenBroker.exe	114
PID 3800 wrote to memory of 1284	3800	TokenBroker.exe	114
PID 1284 wrote to memory of 1588	1284	TokenBroker.exe	115
PID 1284 wrote to memory of 1588	1284	TokenBroker.exe	115
PID 1588 wrote to memory of 2068	1588	TokenBroker.exe	116
PID 1588 wrote to memory of 2068	1588	TokenBroker.exe	116
PID 2068 wrote to memory of 5084	2068	TokenBroker.exe	117
PID 2068 wrote to memory of 5084	2068	TokenBroker.exe	117
PID 5084 wrote to memory of 3636	5084	TokenBroker.exe	118
PID 5084 wrote to memory of 3636	5084	TokenBroker.exe	118
PID 3636 wrote to memory of 3696	3636	TokenBroker.exe	119
PID 3636 wrote to memory of 3696	3636	TokenBroker.exe	119
PID 3696 wrote to memory of 1700	3696	TokenBroker.exe	120
PID 3696 wrote to memory of 1700	3696	TokenBroker.exe	120
PID 1700 wrote to memory of 4808	1700	TokenBroker.exe	121
PID 1700 wrote to memory of 4808	1700	TokenBroker.exe	121
PID 4808 wrote to memory of 1824	4808	TokenBroker.exe	122
PID 4808 wrote to memory of 1824	4808	TokenBroker.exe	122
PID 1824 wrote to memory of 1372	1824	TokenBroker.exe	123
PID 1824 wrote to memory of 1372	1824	TokenBroker.exe	123
PID 1372 wrote to memory of 5020	1372	TokenBroker.exe	124
PID 1372 wrote to memory of 5020	1372	TokenBroker.exe	124
PID 5020 wrote to memory of 2216	5020	TokenBroker.exe	125
PID 5020 wrote to memory of 2216	5020	TokenBroker.exe	125
PID 2216 wrote to memory of 1280	2216	TokenBroker.exe	126
PID 2216 wrote to memory of 1280	2216	TokenBroker.exe	126

C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
"C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
  C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
    C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
      C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        23⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        25⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        27⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        29⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        31⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        32⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        33⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 1
        34⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe
        35⤵
        
        PID:2452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-1-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1280-33-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1284-21-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1372-28-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1428-19-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1588-20-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1688-6-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1700-27-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/1824-29-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/2068-23-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/2216-30-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/2464-15-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/2472-8-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/2664-3-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/2780-0-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/2932-11-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/3140-10-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/3368-4-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/3608-2-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/3636-25-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/3696-24-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/3800-18-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/3940-14-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/4372-16-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/4760-17-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/4808-26-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/4876-9-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/4928-13-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/4948-7-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/5000-32-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/5020-31-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/5068-12-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/5080-5-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download
memory/5084-22-0x00007FF638210000-0x00007FF638290000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads