a5a0f1d816d082a07ad590df584d0960e8fa70db87926edc8b15050936a9f367

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88856db21284ea0bacb20a544600815c.exe
Size

41KB
MD5

88856db21284ea0bacb20a544600815c
SHA1

448a29d32fff9318769e37c5288a92bdb1042eb4
SHA256

a5a0f1d816d082a07ad590df584d0960e8fa70db87926edc8b15050936a9f367
SHA512

b9053a45036c6e57035a71d5c89d2b81f4d5f10e10fc9e282f69ad98f90514559e08997e0a41c5a941c0848c10ff34b3f4540eec358d1cde4b7d8ba7f61d4a71
SSDEEP

768:Bgme9GwyIpR6GBzIbc61Gl3jbgIVEeXNz6j5QntXr8sYX8:BFe94UdBUbj1yTnXNO5MtXI

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe
2384	88856db21284ea0bacb20a544600815c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	88856db21284ea0bacb20a544600815c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 608	2384	88856db21284ea0bacb20a544600815c.exe	3
PID 2384 wrote to memory of 608	2384	88856db21284ea0bacb20a544600815c.exe	3
PID 2384 wrote to memory of 608	2384	88856db21284ea0bacb20a544600815c.exe	3
PID 2384 wrote to memory of 608	2384	88856db21284ea0bacb20a544600815c.exe	3
PID 2384 wrote to memory of 608	2384	88856db21284ea0bacb20a544600815c.exe	3
PID 2384 wrote to memory of 608	2384	88856db21284ea0bacb20a544600815c.exe	3
PID 2384 wrote to memory of 660	2384	88856db21284ea0bacb20a544600815c.exe	1
PID 2384 wrote to memory of 660	2384	88856db21284ea0bacb20a544600815c.exe	1
PID 2384 wrote to memory of 660	2384	88856db21284ea0bacb20a544600815c.exe	1
PID 2384 wrote to memory of 660	2384	88856db21284ea0bacb20a544600815c.exe	1
PID 2384 wrote to memory of 660	2384	88856db21284ea0bacb20a544600815c.exe	1
PID 2384 wrote to memory of 660	2384	88856db21284ea0bacb20a544600815c.exe	1
PID 2384 wrote to memory of 772	2384	88856db21284ea0bacb20a544600815c.exe	8
PID 2384 wrote to memory of 772	2384	88856db21284ea0bacb20a544600815c.exe	8
PID 2384 wrote to memory of 772	2384	88856db21284ea0bacb20a544600815c.exe	8
PID 2384 wrote to memory of 772	2384	88856db21284ea0bacb20a544600815c.exe	8
PID 2384 wrote to memory of 772	2384	88856db21284ea0bacb20a544600815c.exe	8
PID 2384 wrote to memory of 772	2384	88856db21284ea0bacb20a544600815c.exe	8
PID 2384 wrote to memory of 788	2384	88856db21284ea0bacb20a544600815c.exe	82
PID 2384 wrote to memory of 788	2384	88856db21284ea0bacb20a544600815c.exe	82
PID 2384 wrote to memory of 788	2384	88856db21284ea0bacb20a544600815c.exe	82
PID 2384 wrote to memory of 788	2384	88856db21284ea0bacb20a544600815c.exe	82
PID 2384 wrote to memory of 788	2384	88856db21284ea0bacb20a544600815c.exe	82
PID 2384 wrote to memory of 788	2384	88856db21284ea0bacb20a544600815c.exe	82
PID 2384 wrote to memory of 792	2384	88856db21284ea0bacb20a544600815c.exe	81
PID 2384 wrote to memory of 792	2384	88856db21284ea0bacb20a544600815c.exe	81
PID 2384 wrote to memory of 792	2384	88856db21284ea0bacb20a544600815c.exe	81
PID 2384 wrote to memory of 792	2384	88856db21284ea0bacb20a544600815c.exe	81
PID 2384 wrote to memory of 792	2384	88856db21284ea0bacb20a544600815c.exe	81
PID 2384 wrote to memory of 792	2384	88856db21284ea0bacb20a544600815c.exe	81
PID 2384 wrote to memory of 900	2384	88856db21284ea0bacb20a544600815c.exe	80
PID 2384 wrote to memory of 900	2384	88856db21284ea0bacb20a544600815c.exe	80
PID 2384 wrote to memory of 900	2384	88856db21284ea0bacb20a544600815c.exe	80
PID 2384 wrote to memory of 900	2384	88856db21284ea0bacb20a544600815c.exe	80
PID 2384 wrote to memory of 900	2384	88856db21284ea0bacb20a544600815c.exe	80
PID 2384 wrote to memory of 900	2384	88856db21284ea0bacb20a544600815c.exe	80
PID 2384 wrote to memory of 944	2384	88856db21284ea0bacb20a544600815c.exe	79
PID 2384 wrote to memory of 944	2384	88856db21284ea0bacb20a544600815c.exe	79
PID 2384 wrote to memory of 944	2384	88856db21284ea0bacb20a544600815c.exe	79
PID 2384 wrote to memory of 944	2384	88856db21284ea0bacb20a544600815c.exe	79
PID 2384 wrote to memory of 944	2384	88856db21284ea0bacb20a544600815c.exe	79
PID 2384 wrote to memory of 944	2384	88856db21284ea0bacb20a544600815c.exe	79
PID 2384 wrote to memory of 316	2384	88856db21284ea0bacb20a544600815c.exe	9
PID 2384 wrote to memory of 316	2384	88856db21284ea0bacb20a544600815c.exe	9
PID 2384 wrote to memory of 316	2384	88856db21284ea0bacb20a544600815c.exe	9
PID 2384 wrote to memory of 316	2384	88856db21284ea0bacb20a544600815c.exe	9
PID 2384 wrote to memory of 316	2384	88856db21284ea0bacb20a544600815c.exe	9
PID 2384 wrote to memory of 316	2384	88856db21284ea0bacb20a544600815c.exe	9
PID 2384 wrote to memory of 396	2384	88856db21284ea0bacb20a544600815c.exe	78
PID 2384 wrote to memory of 396	2384	88856db21284ea0bacb20a544600815c.exe	78
PID 2384 wrote to memory of 396	2384	88856db21284ea0bacb20a544600815c.exe	78
PID 2384 wrote to memory of 396	2384	88856db21284ea0bacb20a544600815c.exe	78
PID 2384 wrote to memory of 396	2384	88856db21284ea0bacb20a544600815c.exe	78
PID 2384 wrote to memory of 396	2384	88856db21284ea0bacb20a544600815c.exe	78
PID 2384 wrote to memory of 412	2384	88856db21284ea0bacb20a544600815c.exe	77
PID 2384 wrote to memory of 412	2384	88856db21284ea0bacb20a544600815c.exe	77
PID 2384 wrote to memory of 412	2384	88856db21284ea0bacb20a544600815c.exe	77
PID 2384 wrote to memory of 412	2384	88856db21284ea0bacb20a544600815c.exe	77
PID 2384 wrote to memory of 412	2384	88856db21284ea0bacb20a544600815c.exe	77
PID 2384 wrote to memory of 412	2384	88856db21284ea0bacb20a544600815c.exe	77
PID 2384 wrote to memory of 516	2384	88856db21284ea0bacb20a544600815c.exe	76
PID 2384 wrote to memory of 516	2384	88856db21284ea0bacb20a544600815c.exe	76
PID 2384 wrote to memory of 516	2384	88856db21284ea0bacb20a544600815c.exe	76
PID 2384 wrote to memory of 516	2384	88856db21284ea0bacb20a544600815c.exe	76

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:772
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3856
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4072
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4240
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1348
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2264
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1160
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2260
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4208
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:760
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3956
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2012

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4968

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\88856db21284ea0bacb20a544600815c.exe
  "C:\Users\Admin\AppData\Local\Temp\88856db21284ea0bacb20a544600815c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2868

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2824

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2172

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-0-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/2384-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2384-2-0x0000000077D92000-0x0000000077D93000-memory.dmp

Filesize
4KB

Download
memory/2384-3-0x0000000077D93000-0x0000000077D94000-memory.dmp

Filesize
4KB

Download
memory/2384-4-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2384-5-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download