07a1466ac874355b838eb0c5871bcc00514d749fed184b7aa1f5f02ff7d14787

Analysis

max time kernel
0s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:05

Target

5e5f277ef0efedf1f51ed3e3ed193c99.exe
Size

2.5MB
MD5

5e5f277ef0efedf1f51ed3e3ed193c99
SHA1

b276ccf028e3e3c543a03e7cab088f9813021bdc
SHA256

07a1466ac874355b838eb0c5871bcc00514d749fed184b7aa1f5f02ff7d14787
SHA512

fe6139c4d81d56c0d01fe636ea9632763691fe67ae2fc3833a0c7b681c6e5e91fda1f6b31bcfa4dba89034807b8a1886e95bbbe78031c095e885baced0c4e5dd
SSDEEP

24576:Biukn3KlrS7AHkwu3sHReZDoasYW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWR:uKRgsYasY6DwOBfrnvV7UeWtFtI+QFKF

Score

6^/10

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	5e5f277ef0efedf1f51ed3e3ed193c99.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	5e5f277ef0efedf1f51ed3e3ed193c99.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	5e5f277ef0efedf1f51ed3e3ed193c99.exe
File created	C:\Windows\assembly\Desktop.ini	5e5f277ef0efedf1f51ed3e3ed193c99.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	5e5f277ef0efedf1f51ed3e3ed193c99.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3940	dw20.exe
Token: SeBackupPrivilege	3940	dw20.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3940	2348	5e5f277ef0efedf1f51ed3e3ed193c99.exe	22
PID 2348 wrote to memory of 3940	2348	5e5f277ef0efedf1f51ed3e3ed193c99.exe	22
PID 2348 wrote to memory of 3940	2348	5e5f277ef0efedf1f51ed3e3ed193c99.exe	22

C:\Users\Admin\AppData\Local\Temp\5e5f277ef0efedf1f51ed3e3ed193c99.exe
"C:\Users\Admin\AppData\Local\Temp\5e5f277ef0efedf1f51ed3e3ed193c99.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 832
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3940

memory/2348-0-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/2348-2-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2348-1-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/2348-11-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download