f0cf1e7ecb944164e6add6f39e03763e66f35b92f4d546367c0c6e689811e3d6

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 04:37

Target

480c981433ac3a82292ca212a1a75f0d.exe
Size

30KB
MD5

480c981433ac3a82292ca212a1a75f0d
SHA1

295b2a8e2907dd304eb425106fbaf9b9a7f0c6ca
SHA256

f0cf1e7ecb944164e6add6f39e03763e66f35b92f4d546367c0c6e689811e3d6
SHA512

bb4fced418defdb2be67de9efaa03f8f6abc2f4c9cdf99d1c755c5980c6b1b33c8e667ddb31880fc8bbeb25e8a35b93465687b6848748839ee895af950e3d081
SSDEEP

384:MIo9+KTjztrJNwjFGhauDganEscRMGa2yjIXZ5uyGekFT3QZ7Qcf:tKTv+442Esd0HvKOB

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	480c981433ac3a82292ca212a1a75f0d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2052	1752	480c981433ac3a82292ca212a1a75f0d.exe	29
PID 1752 wrote to memory of 2052	1752	480c981433ac3a82292ca212a1a75f0d.exe	29
PID 1752 wrote to memory of 2052	1752	480c981433ac3a82292ca212a1a75f0d.exe	29
PID 1752 wrote to memory of 2052	1752	480c981433ac3a82292ca212a1a75f0d.exe	29
PID 1752 wrote to memory of 2992	1752	480c981433ac3a82292ca212a1a75f0d.exe	31
PID 1752 wrote to memory of 2992	1752	480c981433ac3a82292ca212a1a75f0d.exe	31
PID 1752 wrote to memory of 2992	1752	480c981433ac3a82292ca212a1a75f0d.exe	31
PID 1752 wrote to memory of 2992	1752	480c981433ac3a82292ca212a1a75f0d.exe	31
PID 1752 wrote to memory of 2732	1752	480c981433ac3a82292ca212a1a75f0d.exe	30
PID 1752 wrote to memory of 2732	1752	480c981433ac3a82292ca212a1a75f0d.exe	30
PID 1752 wrote to memory of 2732	1752	480c981433ac3a82292ca212a1a75f0d.exe	30
PID 1752 wrote to memory of 2732	1752	480c981433ac3a82292ca212a1a75f0d.exe	30

C:\Users\Admin\AppData\Local\Temp\480c981433ac3a82292ca212a1a75f0d.exe
"C:\Users\Admin\AppData\Local\Temp\480c981433ac3a82292ca212a1a75f0d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\arp.exe
  "C:\Windows\System32\arp.exe" -a
  2⤵
  PID:2052
- C:\Windows\SysWOW64\arp.exe
  "C:\Windows\System32\arp.exe" -a
  2⤵
  PID:2732
- C:\Windows\SysWOW64\arp.exe
  "C:\Windows\System32\arp.exe" -a
  2⤵
  PID:2992

memory/1752-1-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-0-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/1752-2-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1752-3-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download