21638ab552b1d6bcadc9161f4160a1e1b025286d7bdd922f38644192774155e2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 09:55

Target

79ef062e0a8b7ea6560e2465cb290865.exe
Size

89KB
MD5

79ef062e0a8b7ea6560e2465cb290865
SHA1

79bd70129c20e5ba1e95b15193fb2565b6206563
SHA256

21638ab552b1d6bcadc9161f4160a1e1b025286d7bdd922f38644192774155e2
SHA512

9688e440ee435ae8e6a4110c6a0b7c26192357b229bb382b3b0b1ca23ff570f71aff25ab133b23b212cd66b53d336d8d8da3d12c1289a9a43c9332872661dc85
SSDEEP

1536:UQ7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf0wJOa:UuFfHgTWmCRkGbKGLeNTBf0u

Score

1^/10

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2668	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2196	3020	79ef062e0a8b7ea6560e2465cb290865.exe	29
PID 3020 wrote to memory of 2196	3020	79ef062e0a8b7ea6560e2465cb290865.exe	29
PID 3020 wrote to memory of 2196	3020	79ef062e0a8b7ea6560e2465cb290865.exe	29
PID 3020 wrote to memory of 2196	3020	79ef062e0a8b7ea6560e2465cb290865.exe	29
PID 2196 wrote to memory of 2668	2196	cmd.exe	30
PID 2196 wrote to memory of 2668	2196	cmd.exe	30
PID 2196 wrote to memory of 2668	2196	cmd.exe	30
PID 2196 wrote to memory of 2668	2196	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\79ef062e0a8b7ea6560e2465cb290865.exe
"C:\Users\Admin\AppData\Local\Temp\79ef062e0a8b7ea6560e2465cb290865.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\10D2.tmp\10D3.tmp\10D4.bat C:\Users\Admin\AppData\Local\Temp\79ef062e0a8b7ea6560e2465cb290865.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668

C:\Users\Admin\AppData\Local\Temp\10D2.tmp\10D3.tmp\10D4.bat

Filesize
381B

MD5
ef852217e13593630be95b36d9c3d109

SHA1
6b9adba68aa7de5529522ce8f3402b78fda5b70b

SHA256
6886e729bb935df2e0b519532c71fd1dea9e40d30993d08c4e93f1a6e03e2686

SHA512
c7499294d19ef9a551d0252480002ae26df5ab6acf542e986607aa04bc5d2b25096eb7432f5d828dc92f6689bbeb6232c2d58191266f6e7b5d47a714f5f7dfd2

Download Submit
memory/2668-4-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-5-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-8-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2668-7-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2668-6-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2668-9-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download