ebc3deef36d1000ef7b75c77a4e6b6d0e2f48a7150f0a0aa3b10a3eec010d976

Analysis

max time kernel
0s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dbfed4bcf480bff2ecf355d69fa4a8e.exe
Size

89KB
MD5

1dbfed4bcf480bff2ecf355d69fa4a8e
SHA1

d52ebe8e7ecde4fa2c88d3ea3ac329ac6633f049
SHA256

ebc3deef36d1000ef7b75c77a4e6b6d0e2f48a7150f0a0aa3b10a3eec010d976
SHA512

434b3d2a9db3dd3d7379ae05b93df81db90d4336c2668ede73350cc850ad5bb71bca8d78e85f850743331bf6b7dd970b1153dc609f7c22e2ad6a3c063e378c36
SSDEEP

1536:AU7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfawCiO3:AqFfHgTWmCRkGbKGLeNTBfa3x

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3012	powershell.exe
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3860	3156	1dbfed4bcf480bff2ecf355d69fa4a8e.exe	24
PID 3156 wrote to memory of 3860	3156	1dbfed4bcf480bff2ecf355d69fa4a8e.exe	24
PID 3860 wrote to memory of 3012	3860	cmd.exe	23
PID 3860 wrote to memory of 3012	3860	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\1dbfed4bcf480bff2ecf355d69fa4a8e.exe
"C:\Users\Admin\AppData\Local\Temp\1dbfed4bcf480bff2ecf355d69fa4a8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\50FE.tmp\50FF.tmp\5100.bat C:\Users\Admin\AppData\Local\Temp\1dbfed4bcf480bff2ecf355d69fa4a8e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50FE.tmp\50FF.tmp\5100.bat

Filesize
21B

MD5
a2b60d872386c201820d5fed490081b7

SHA1
f222556548a31d68c85a51fa19e2233c2af1eccd

SHA256
2bef87db1c354178fdd4f3102600a5b8f0889bf5778fc1550549e8838727d521

SHA512
92ce9b599000d3519884c4bbc9af7dc127afdd4a27a1c1be577c9e41631d2ffdee76802fbecc0b992ffd5b234cca4cb80a16f4a027f851fd9b6f5ef350bc9ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yja1nlcj.1rh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3012-7-0x00007FF9ADB30000-0x00007FF9AE5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-15-0x000001D667610000-0x000001D667620000-memory.dmp

Filesize
64KB

Download
memory/3012-16-0x000001D67FBA0000-0x000001D67FBE4000-memory.dmp

Filesize
272KB

Download
memory/3012-4-0x000001D67FB70000-0x000001D67FB92000-memory.dmp

Filesize
136KB

Download
memory/3012-17-0x000001D67FC70000-0x000001D67FCE6000-memory.dmp

Filesize
472KB

Download
memory/3012-19-0x00007FF9ADB30000-0x00007FF9AE5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-20-0x000001D667610000-0x000001D667620000-memory.dmp

Filesize
64KB

Download
memory/3012-21-0x000001D667610000-0x000001D667620000-memory.dmp

Filesize
64KB

Download