8af99a59b35ef3a94aa5b2f8c621de87e58b63470c6310367331822abe38140c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:50

Target

061e5aaf555483b8e5a988c558c30367.exe
Size

648KB
MD5

061e5aaf555483b8e5a988c558c30367
SHA1

8799f3097e645d42dcb2ae50996cd25080872b22
SHA256

8af99a59b35ef3a94aa5b2f8c621de87e58b63470c6310367331822abe38140c
SHA512

1d21d991c80a5488d5ad3dd83bade9d42ae741756453ada78a50e54ae020178813af7155c2ac9f98434bcde2d536800b813ea13019a733be48b4e90dc70b479e
SSDEEP

12288:i3lOzTVqfEgr5vW5AQl3BP4XZMZZMtT/TVhoEgZKL5FBlVvOcEEmH6+7+fc:i3I3dg9vW5AQfYqv4TVhoEgGvOcEE2f

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
736	win xp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win xp.exe	061e5aaf555483b8e5a988c558c30367.exe
File created	C:\Windows\Delete.bat	061e5aaf555483b8e5a988c558c30367.exe
File created	C:\Windows\win xp.exe	061e5aaf555483b8e5a988c558c30367.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	061e5aaf555483b8e5a988c558c30367.exe
Token: SeDebugPrivilege	736	win xp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
736	win xp.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3804	4248	061e5aaf555483b8e5a988c558c30367.exe	96
PID 4248 wrote to memory of 3804	4248	061e5aaf555483b8e5a988c558c30367.exe	96
PID 4248 wrote to memory of 3804	4248	061e5aaf555483b8e5a988c558c30367.exe	96
PID 736 wrote to memory of 3456	736	win xp.exe	95
PID 736 wrote to memory of 3456	736	win xp.exe	95

C:\Users\Admin\AppData\Local\Temp\061e5aaf555483b8e5a988c558c30367.exe
"C:\Users\Admin\AppData\Local\Temp\061e5aaf555483b8e5a988c558c30367.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
  2⤵
  PID:3804

C:\Windows\win xp.exe
"C:\Windows\win xp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:736
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3456

C:\Windows\Delete.bat

Filesize
186B

MD5
43957ff77b34a3606ec5fe59f1c1610f

SHA1
c0fd2fdeb6f2a5b3178e2189499111605a0df48a

SHA256
b144083aac042ec1a3801faa889ba05e174edd683cf8c04d88dc9d740705ef3d

SHA512
3066ce4f049c6a1561a3a0ffc29264bc77d7559ffd5bd088fa3633b81a26ac8f9ac58630ac9af128ec58e673f6b3876a3fd9717aea829fe493cc5bcb9cf51fcc

Download Submit
C:\Windows\win xp.exe

Filesize
63KB

MD5
10a238a76ce13affda0aa4ad683367e7

SHA1
47577feaf506e25d87b352530aedb3c6e1168fc5

SHA256
63ba31c19ab383383e15d6caedf558cd3e7125fcd68d21a27eb609b4a242a4ad

SHA512
3e9193ff8fb7eb2ff8e8741d207a98a267a4a76c8e6b074ed62e72c55029cb4ad0f0acd87444fb5cd19bff0a530e0a14732b7111a485d2fc376387305c3690a5

Download Submit
C:\Windows\win xp.exe

Filesize
104KB

MD5
e0b61778b172f983dddf6bb38408f167

SHA1
645ccca5adcee283e33cc8ee3f5dba1616596b28

SHA256
0dcbbe99596389d87a968d878fc7eff937fcc13d1b2c078d46713b81ecda406e

SHA512
d2749931d638c3b504cc39cfd1add86251cf5bc0e289ad18cb80b31aad60dfd14c855398d7abe92bd3603fe68773c0172b4b225c3d8a05957280ddcff26ae2c3

Download Submit
memory/736-7-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/736-10-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4248-2-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4248-8-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download