Analysis
-
max time kernel
90s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 02:46
Behavioral task
behavioral1
Sample
7bf1c7f44d3d495ede09e0ac3c64ae67.exe
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
7bf1c7f44d3d495ede09e0ac3c64ae67.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
7bf1c7f44d3d495ede09e0ac3c64ae67.exe
-
Size
1.7MB
-
MD5
7bf1c7f44d3d495ede09e0ac3c64ae67
-
SHA1
4607c487dacb5bd3b2cc73d09249a20ab11efe36
-
SHA256
3f148372b3b6ee1b8eb09b81033c2f21572300793d044cbf22842d67669191d5
-
SHA512
c93f527e9ebc826350da11344697550fae34aee1b68c43be5be5cc208cb793792897279550b83b543e977b818679c26fff6173db727656e9e9f1ed4108ee5068
-
SSDEEP
49152:dlb6F9eNQgU8U23ZPONWSO14wiUVoTP4yXfII35dTh:Lm9eC8R31ONtO2coLJXQKV
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3004-0-0x00000000008C0000-0x0000000000DEF000-memory.dmp upx behavioral2/memory/3004-1-0x00000000008C0000-0x0000000000DEF000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3004 7bf1c7f44d3d495ede09e0ac3c64ae67.exe 3004 7bf1c7f44d3d495ede09e0ac3c64ae67.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3328 wmic.exe Token: SeSecurityPrivilege 3328 wmic.exe Token: SeTakeOwnershipPrivilege 3328 wmic.exe Token: SeLoadDriverPrivilege 3328 wmic.exe Token: SeSystemProfilePrivilege 3328 wmic.exe Token: SeSystemtimePrivilege 3328 wmic.exe Token: SeProfSingleProcessPrivilege 3328 wmic.exe Token: SeIncBasePriorityPrivilege 3328 wmic.exe Token: SeCreatePagefilePrivilege 3328 wmic.exe Token: SeBackupPrivilege 3328 wmic.exe Token: SeRestorePrivilege 3328 wmic.exe Token: SeShutdownPrivilege 3328 wmic.exe Token: SeDebugPrivilege 3328 wmic.exe Token: SeSystemEnvironmentPrivilege 3328 wmic.exe Token: SeRemoteShutdownPrivilege 3328 wmic.exe Token: SeUndockPrivilege 3328 wmic.exe Token: SeManageVolumePrivilege 3328 wmic.exe Token: 33 3328 wmic.exe Token: 34 3328 wmic.exe Token: 35 3328 wmic.exe Token: 36 3328 wmic.exe Token: SeIncreaseQuotaPrivilege 3328 wmic.exe Token: SeSecurityPrivilege 3328 wmic.exe Token: SeTakeOwnershipPrivilege 3328 wmic.exe Token: SeLoadDriverPrivilege 3328 wmic.exe Token: SeSystemProfilePrivilege 3328 wmic.exe Token: SeSystemtimePrivilege 3328 wmic.exe Token: SeProfSingleProcessPrivilege 3328 wmic.exe Token: SeIncBasePriorityPrivilege 3328 wmic.exe Token: SeCreatePagefilePrivilege 3328 wmic.exe Token: SeBackupPrivilege 3328 wmic.exe Token: SeRestorePrivilege 3328 wmic.exe Token: SeShutdownPrivilege 3328 wmic.exe Token: SeDebugPrivilege 3328 wmic.exe Token: SeSystemEnvironmentPrivilege 3328 wmic.exe Token: SeRemoteShutdownPrivilege 3328 wmic.exe Token: SeUndockPrivilege 3328 wmic.exe Token: SeManageVolumePrivilege 3328 wmic.exe Token: 33 3328 wmic.exe Token: 34 3328 wmic.exe Token: 35 3328 wmic.exe Token: 36 3328 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3004 wrote to memory of 3328 3004 7bf1c7f44d3d495ede09e0ac3c64ae67.exe 85 PID 3004 wrote to memory of 3328 3004 7bf1c7f44d3d495ede09e0ac3c64ae67.exe 85 PID 3004 wrote to memory of 4544 3004 7bf1c7f44d3d495ede09e0ac3c64ae67.exe 89 PID 3004 wrote to memory of 4544 3004 7bf1c7f44d3d495ede09e0ac3c64ae67.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bf1c7f44d3d495ede09e0ac3c64ae67.exe"C:\Users\Admin\AppData\Local\Temp\7bf1c7f44d3d495ede09e0ac3c64ae67.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\system32\findstr.exefindstr MsMpEng.exe2⤵PID:4544
-