ad0e0b34dd57250d9c86792e82b49ed1598421c83ead2707a475df200f0b60f6

Analysis

max time kernel
147s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 03:52

Target

4d43d16f407494f3317b8a9a68099791.exe
Size

13KB
MD5

4d43d16f407494f3317b8a9a68099791
SHA1

8e61c2caa7e326322bf586d06279029530b7605c
SHA256

ad0e0b34dd57250d9c86792e82b49ed1598421c83ead2707a475df200f0b60f6
SHA512

a4a6cbab172299b09ebc67d3e19bc1274d58f29ddca400d2fc26a9be849d2de45c9694e309da319c12dd2c4503cba5572cd4ca782227e5127681dacda552e4c1
SSDEEP

384:EngFSX3fyNa1J+29+scOjvq0sYNoaO+3OE:EwSX3fn+2+sc2i/YNo0+E

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	4d43d16f407494f3317b8a9a68099791.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe	4d43d16f407494f3317b8a9a68099791.exe
File created	C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe	4d43d16f407494f3317b8a9a68099791.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2832	4d43d16f407494f3317b8a9a68099791.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2672	2832	4d43d16f407494f3317b8a9a68099791.exe	28
PID 2832 wrote to memory of 2672	2832	4d43d16f407494f3317b8a9a68099791.exe	28
PID 2832 wrote to memory of 2672	2832	4d43d16f407494f3317b8a9a68099791.exe	28
PID 2832 wrote to memory of 2672	2832	4d43d16f407494f3317b8a9a68099791.exe	28

C:\Users\Admin\AppData\Local\Temp\4d43d16f407494f3317b8a9a68099791.exe
"C:\Users\Admin\AppData\Local\Temp\4d43d16f407494f3317b8a9a68099791.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4D43D1~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2672

C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe
C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe

Filesize
13KB

MD5
4d43d16f407494f3317b8a9a68099791

SHA1
8e61c2caa7e326322bf586d06279029530b7605c

SHA256
ad0e0b34dd57250d9c86792e82b49ed1598421c83ead2707a475df200f0b60f6

SHA512
a4a6cbab172299b09ebc67d3e19bc1274d58f29ddca400d2fc26a9be849d2de45c9694e309da319c12dd2c4503cba5572cd4ca782227e5127681dacda552e4c1

Download Submit
memory/2620-3-0x0000000000400000-0x000000000045202B-memory.dmp

Filesize
328KB

Download
memory/2620-5-0x0000000000400000-0x000000000045202B-memory.dmp

Filesize
328KB

Download
memory/2832-0-0x0000000000400000-0x000000000045202B-memory.dmp

Filesize
328KB

Download
memory/2832-4-0x0000000000400000-0x000000000045202B-memory.dmp

Filesize
328KB

Download