824f542872863743abba20cdd20029af9efd9e826813670b9fb6a488937082d4

Analysis

max time kernel
142s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 08:57

Target

488ce6cc5ab030ef3430a97951d43963.exe
Size

23KB
MD5

488ce6cc5ab030ef3430a97951d43963
SHA1

7857f691d5e45a94c5c730412622b78f50ed023b
SHA256

824f542872863743abba20cdd20029af9efd9e826813670b9fb6a488937082d4
SHA512

214ef0cceb0cf2556505f187d022c0e19a878433745410a192237724aedad94f806b3872ac61ad7a757f1518323daa6a28089a73343de143a8dee08bf385a173
SSDEEP

384:+hD6d/dkKLbVzAYPwuce6OZQU/S7W2kZ18jYE0W:OFYove6Ox6f4

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2068	mssm

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mssm	488ce6cc5ab030ef3430a97951d43963.exe
File opened for modification	C:\Windows\SysWOW64\mssm	488ce6cc5ab030ef3430a97951d43963.exe
File created	C:\Windows\SysWOW64\mssm	mssm

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2408	488ce6cc5ab030ef3430a97951d43963.exe
Token: SeIncBasePriorityPrivilege	2068	mssm

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2068	2408	488ce6cc5ab030ef3430a97951d43963.exe	91
PID 2408 wrote to memory of 2068	2408	488ce6cc5ab030ef3430a97951d43963.exe	91
PID 2408 wrote to memory of 2068	2408	488ce6cc5ab030ef3430a97951d43963.exe	91
PID 2408 wrote to memory of 2480	2408	488ce6cc5ab030ef3430a97951d43963.exe	92
PID 2408 wrote to memory of 2480	2408	488ce6cc5ab030ef3430a97951d43963.exe	92
PID 2408 wrote to memory of 2480	2408	488ce6cc5ab030ef3430a97951d43963.exe	92
PID 2068 wrote to memory of 1188	2068	mssm	96
PID 2068 wrote to memory of 1188	2068	mssm	96
PID 2068 wrote to memory of 1188	2068	mssm	96

C:\Users\Admin\AppData\Local\Temp\488ce6cc5ab030ef3430a97951d43963.exe
"C:\Users\Admin\AppData\Local\Temp\488ce6cc5ab030ef3430a97951d43963.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\mssm
  "C:\Windows\system32\mssm"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\mssm > nul
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\488CE6~1.EXE > nul
  2⤵
  PID:2480

C:\Windows\SysWOW64\mssm

Filesize
23KB

MD5
488ce6cc5ab030ef3430a97951d43963

SHA1
7857f691d5e45a94c5c730412622b78f50ed023b

SHA256
824f542872863743abba20cdd20029af9efd9e826813670b9fb6a488937082d4

SHA512
214ef0cceb0cf2556505f187d022c0e19a878433745410a192237724aedad94f806b3872ac61ad7a757f1518323daa6a28089a73343de143a8dee08bf385a173

Download Submit