e5813de67eb6f3bf8976528d985cf2a2f67640a5e5e330cf8d0aad33e74448e1

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 23:29

Target

87f2990b3bd138ef759b10b31ef3d130.exe
Size

644KB
MD5

87f2990b3bd138ef759b10b31ef3d130
SHA1

600d02844c443e584d80bc5cde94123f40479dd4
SHA256

e5813de67eb6f3bf8976528d985cf2a2f67640a5e5e330cf8d0aad33e74448e1
SHA512

3d281e81dc0bed6be3b9fabb3e990aac899023d148fa3d1892ea75d76011a905ad0c64aa1d3304cdc6d579edc6fd9b3f1d93ae39e6df803fba4806c78fcc1976
SSDEEP

12288:k3423hel9QQwW5AP7j34lIJrpqaAEh39UOTpl5Tq63Bvo2Xq3+6lr:k3jR5QwW5ATs0rsUh39UO73Bvo2Xw

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
640	G_Server1.23.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\G_Server1.23.exe	87f2990b3bd138ef759b10b31ef3d130.exe
File opened for modification	C:\Windows\G_Server1.23.exe	87f2990b3bd138ef759b10b31ef3d130.exe
File created	C:\Windows\Delete.bAt	87f2990b3bd138ef759b10b31ef3d130.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	87f2990b3bd138ef759b10b31ef3d130.exe
Token: SeDebugPrivilege	640	G_Server1.23.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
640	G_Server1.23.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4988	1880	87f2990b3bd138ef759b10b31ef3d130.exe	90
PID 1880 wrote to memory of 4988	1880	87f2990b3bd138ef759b10b31ef3d130.exe	90
PID 1880 wrote to memory of 4988	1880	87f2990b3bd138ef759b10b31ef3d130.exe	90
PID 640 wrote to memory of 1416	640	G_Server1.23.exe	91
PID 640 wrote to memory of 1416	640	G_Server1.23.exe	91

C:\Users\Admin\AppData\Local\Temp\87f2990b3bd138ef759b10b31ef3d130.exe
"C:\Users\Admin\AppData\Local\Temp\87f2990b3bd138ef759b10b31ef3d130.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bAt
  2⤵
  PID:4988

C:\Windows\G_Server1.23.exe
C:\Windows\G_Server1.23.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:640
- C:\pROGRAM fILES\iNTERNET eXPLORER\iexplore.exe
  "C:\pROGRAM fILES\iNTERNET eXPLORER\iexplore.exe"
  2⤵
  PID:1416

C:\Windows\Delete.bAt

Filesize
186B

MD5
5f572014a670f089dbee2b7cf6bd1a2a

SHA1
e739c2a6cf638faf39194a2da74a6a2ce4d18971

SHA256
614469ba863610cb2387113b3ed3867c45f4026289d24d53a6e452ceb5bebb61

SHA512
84f2dbc0df0335afbe87166903be4441dd21603d9217d5b7da0077ec7bdaf8d6a9168059ed7782d5ed21a9ed285c75db723b3981ece75406b739fb6cdf7c9469

Download Submit
C:\Windows\G_Server1.23.exe

Filesize
644KB

MD5
87f2990b3bd138ef759b10b31ef3d130

SHA1
600d02844c443e584d80bc5cde94123f40479dd4

SHA256
e5813de67eb6f3bf8976528d985cf2a2f67640a5e5e330cf8d0aad33e74448e1

SHA512
3d281e81dc0bed6be3b9fabb3e990aac899023d148fa3d1892ea75d76011a905ad0c64aa1d3304cdc6d579edc6fd9b3f1d93ae39e6df803fba4806c78fcc1976

Download Submit
memory/640-7-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/640-10-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1880-0-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1880-8-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download