b46b5657118ecb66cbe08afc47ee7a58d8d6ad5ded89e62a423c6d00c39d0c12

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45eec4959be6ec67e5ed9fa18e02e172.exe
Size

102KB
MD5

45eec4959be6ec67e5ed9fa18e02e172
SHA1

379fb1f129d7043537c719cdf53e42a8f2eaab24
SHA256

b46b5657118ecb66cbe08afc47ee7a58d8d6ad5ded89e62a423c6d00c39d0c12
SHA512

59ed26520bc0c412ed534909c2d596be70ea47965c79383066d69785769df38848893cb52a200c813119e72fc4b8afa4ba452a635746f0a9484ccf8b1d65a165
SSDEEP

3072:IGmfrDZWo5l/UGRcxJhhWdZYOcL3n4/P:IGQR5Z+YPbc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4504	InstallUtil.exe
500	InstallUtil.exe
2084	InstallUtil.exe
4192	InstallUtil.exe
3236	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe
2868	45eec4959be6ec67e5ed9fa18e02e172.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	45eec4959be6ec67e5ed9fa18e02e172.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4504	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	91
PID 2868 wrote to memory of 4504	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	91
PID 2868 wrote to memory of 4504	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	91
PID 2868 wrote to memory of 4504	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	91
PID 2868 wrote to memory of 500	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	92
PID 2868 wrote to memory of 500	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	92
PID 2868 wrote to memory of 500	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	92
PID 2868 wrote to memory of 500	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	92
PID 2868 wrote to memory of 2084	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	93
PID 2868 wrote to memory of 2084	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	93
PID 2868 wrote to memory of 2084	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	93
PID 2868 wrote to memory of 2084	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	93
PID 2868 wrote to memory of 4192	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	94
PID 2868 wrote to memory of 4192	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	94
PID 2868 wrote to memory of 4192	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	94
PID 2868 wrote to memory of 4192	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	94
PID 2868 wrote to memory of 3236	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	95
PID 2868 wrote to memory of 3236	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	95
PID 2868 wrote to memory of 3236	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	95
PID 2868 wrote to memory of 3236	2868	45eec4959be6ec67e5ed9fa18e02e172.exe	95

C:\Users\Admin\AppData\Local\Temp\45eec4959be6ec67e5ed9fa18e02e172.exe
"C:\Users\Admin\AppData\Local\Temp\45eec4959be6ec67e5ed9fa18e02e172.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  PID:500
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  PID:3236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
memory/2868-0-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/2868-1-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/2868-2-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/2868-3-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2868-4-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/2868-5-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/2868-6-0x0000000006B60000-0x0000000006B8C000-memory.dmp

Filesize
176KB

Download
memory/2868-7-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

Filesize
40KB

Download
memory/2868-9-0x0000000007AC0000-0x0000000007AD2000-memory.dmp

Filesize
72KB

Download
memory/2868-21-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download