e85444c3bfd0aff20fbf0d120dc21dc8f1ab89092179b0da7c8f808674957cea

Analysis

max time kernel
136s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 12:06

Target

5b3240d2194ed9f1aae4eae6b3657bad.exe
Size

1.9MB
MD5

5b3240d2194ed9f1aae4eae6b3657bad
SHA1

348ce584ec1e6e27fba5b59035e14c977ac94e2e
SHA256

e85444c3bfd0aff20fbf0d120dc21dc8f1ab89092179b0da7c8f808674957cea
SHA512

38f24ac06483e6065b08b39991590c34224b5da2d555cfec222726aa9d7a2c3227008da6f1fe0de2c069fe3f06fc2070dcc400fe3e35f35896c5ac0fbfbcf7ef
SSDEEP

49152:Qoa1taC070d0QgG8yzF5yeOK6cxU6FTtGknr:Qoa1taC0M1zaDPKU6FTtRr

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1248	52C3.tmp

Executes dropped EXE 1 IoCs

pid	Process
1248	52C3.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2976	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1248	1464	5b3240d2194ed9f1aae4eae6b3657bad.exe	92
PID 1464 wrote to memory of 1248	1464	5b3240d2194ed9f1aae4eae6b3657bad.exe	92
PID 1464 wrote to memory of 1248	1464	5b3240d2194ed9f1aae4eae6b3657bad.exe	92

C:\Users\Admin\AppData\Local\Temp\5b3240d2194ed9f1aae4eae6b3657bad.exe
"C:\Users\Admin\AppData\Local\Temp\5b3240d2194ed9f1aae4eae6b3657bad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\52C3.tmp
  "C:\Users\Admin\AppData\Local\Temp\52C3.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5b3240d2194ed9f1aae4eae6b3657bad.exe 38CB6B3514335C92E07812397B9A611EC64CC7BCC8374AD1AFE50E0552A01B4F0840565A39CE733A71B544C56543E0DC5348AEAF6CD651EE5E630558823F2217
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1248

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\52C3.tmp

Filesize
369KB

MD5
b8520236ee05a356ac691955c136e84e

SHA1
315d8082da871b0d78182f974a44274641f96b00

SHA256
f0fe6d4ee144d8581e5bf76e2e28c86ab7e21cf9250fad60474fecc22e57a3aa

SHA512
c805fa7e3bf70c0001e5a7be3c51ab47982dd52f99ecc51e17ff0589f570decc159e9c7e2ba8d84474fd4ad5082ff853941b4ddff5d20fc7756638554472da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\52C3.tmp

Filesize
331KB

MD5
3fed07027207c5c1541587ac49e9ff05

SHA1
8356958cfb495ea8ef07544aff7cb146b6810562

SHA256
7e04ba1d050192b56a02d5ca8be72799ae75d8c8aa2ea8900c3877024850c45d

SHA512
8f9f30d759e9bbf3ae62574a2f50623caa35ce9a41b469676949cf791acf5e440783f73c0e02bcc0b6a9616466982181fd9208aece1195a2b6e973b7d7b32c66

Download Submit
memory/1248-5-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/1464-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2976-6-0x000001F9DF2A0000-0x000001F9DF2B0000-memory.dmp

Filesize
64KB

Download
memory/2976-22-0x000001F9DF3A0000-0x000001F9DF3B0000-memory.dmp

Filesize
64KB

Download
memory/2976-38-0x000001F9E7710000-0x000001F9E7711000-memory.dmp

Filesize
4KB

Download
memory/2976-40-0x000001F9E7740000-0x000001F9E7741000-memory.dmp

Filesize
4KB

Download
memory/2976-41-0x000001F9E7740000-0x000001F9E7741000-memory.dmp

Filesize
4KB

Download
memory/2976-42-0x000001F9E7850000-0x000001F9E7851000-memory.dmp

Filesize
4KB

Download