9a6b2c30dcd0bc64dac2146f0525f6413687064728206044123d81d9566d059e

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 01:28

Target

47abda32914f0e4e58981a3f7cea4566.exe
Size

19KB
MD5

47abda32914f0e4e58981a3f7cea4566
SHA1

f371b3ccb14dd8758765e89a9711c9fad6a0fed9
SHA256

9a6b2c30dcd0bc64dac2146f0525f6413687064728206044123d81d9566d059e
SHA512

743c9e8c24986d4aca336fbc2bdb768b28f949fb5776b13d60a0cef55804f8a5883cc3fe6e8add77b1c878718e49a5c019639d3a0c031c22b1ca5b71f98dde6b
SSDEEP

384:Qj8hYKQhip4L2oe89bAwNUGMRw4ZFZVrW7vlGlCkBQKNwW+TiKJ49oo5aH:LhkhH2t86aX4w4Z3VrWTwlLBgjc

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	47abda32914f0e4e58981a3f7cea4566.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\47abda32914f0e4e58981a3f7cea4566.exe	47abda32914f0e4e58981a3f7cea4566.exe
File opened for modification	C:\Windows\SysWOW64\47abda32914f0e4e58981a3f7cea4566.exe	47abda32914f0e4e58981a3f7cea4566.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1988	47abda32914f0e4e58981a3f7cea4566.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1388	1988	47abda32914f0e4e58981a3f7cea4566.exe	29
PID 1988 wrote to memory of 1388	1988	47abda32914f0e4e58981a3f7cea4566.exe	29
PID 1988 wrote to memory of 1388	1988	47abda32914f0e4e58981a3f7cea4566.exe	29
PID 1988 wrote to memory of 1388	1988	47abda32914f0e4e58981a3f7cea4566.exe	29

C:\Users\Admin\AppData\Local\Temp\47abda32914f0e4e58981a3f7cea4566.exe
"C:\Users\Admin\AppData\Local\Temp\47abda32914f0e4e58981a3f7cea4566.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\47ABDA~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1388

C:\Windows\SysWOW64\47abda32914f0e4e58981a3f7cea4566.exe
C:\Windows\SysWOW64\47abda32914f0e4e58981a3f7cea4566.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\SysWOW64\47abda32914f0e4e58981a3f7cea4566.exe

Filesize
19KB

MD5
47abda32914f0e4e58981a3f7cea4566

SHA1
f371b3ccb14dd8758765e89a9711c9fad6a0fed9

SHA256
9a6b2c30dcd0bc64dac2146f0525f6413687064728206044123d81d9566d059e

SHA512
743c9e8c24986d4aca336fbc2bdb768b28f949fb5776b13d60a0cef55804f8a5883cc3fe6e8add77b1c878718e49a5c019639d3a0c031c22b1ca5b71f98dde6b

Download Submit
memory/1956-4-0x0000000000400000-0x000000000044DD61-memory.dmp

Filesize
311KB

Download
memory/1956-6-0x0000000000400000-0x000000000044DD61-memory.dmp

Filesize
311KB

Download
memory/1988-0-0x0000000000400000-0x000000000044DD61-memory.dmp

Filesize
311KB

Download
memory/1988-2-0x0000000000400000-0x000000000044DD61-memory.dmp

Filesize
311KB

Download
memory/1988-5-0x0000000000400000-0x000000000044DD61-memory.dmp

Filesize
311KB

Download