d4e901f570b46b8ca41b41e4008da395b61941e822b41cf22b23709b80f202f6

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 15:59

Target

89ef802cf9fb90cd9631c22003de8edb.exe
Size

6KB
MD5

89ef802cf9fb90cd9631c22003de8edb
SHA1

e3af6fa4f97bd34e6bb25879d6b281d0e11ec00d
SHA256

d4e901f570b46b8ca41b41e4008da395b61941e822b41cf22b23709b80f202f6
SHA512

7002ba9c9d9740132d69a1c10f87195f5c84d6c2d835e8bf996b41ff2e534f25f5c1e689ae5f9c094e83a27f8ee5e515565fd00179908630bffa7163e0ae6426
SSDEEP

192:BsQo0ulFwbdm2bWcVx5uSeJHMxnxJZJspN:BsQulKJmIW8xs9cnxJ7spN

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	89ef802cf9fb90cd9631c22003de8edb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\89ef802cf9fb90cd9631c22003de8edb.exe	89ef802cf9fb90cd9631c22003de8edb.exe
File created	C:\Windows\89ef802cf9fb90cd9631c22003de8edb.exe	89ef802cf9fb90cd9631c22003de8edb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1652	89ef802cf9fb90cd9631c22003de8edb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2220	1652	89ef802cf9fb90cd9631c22003de8edb.exe	29
PID 1652 wrote to memory of 2220	1652	89ef802cf9fb90cd9631c22003de8edb.exe	29
PID 1652 wrote to memory of 2220	1652	89ef802cf9fb90cd9631c22003de8edb.exe	29
PID 1652 wrote to memory of 2220	1652	89ef802cf9fb90cd9631c22003de8edb.exe	29

C:\Users\Admin\AppData\Local\Temp\89ef802cf9fb90cd9631c22003de8edb.exe
"C:\Users\Admin\AppData\Local\Temp\89ef802cf9fb90cd9631c22003de8edb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\89EF80~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

C:\Windows\89ef802cf9fb90cd9631c22003de8edb.exe
C:\Windows\89ef802cf9fb90cd9631c22003de8edb.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\89ef802cf9fb90cd9631c22003de8edb.exe

Filesize
6KB

MD5
89ef802cf9fb90cd9631c22003de8edb

SHA1
e3af6fa4f97bd34e6bb25879d6b281d0e11ec00d

SHA256
d4e901f570b46b8ca41b41e4008da395b61941e822b41cf22b23709b80f202f6

SHA512
7002ba9c9d9740132d69a1c10f87195f5c84d6c2d835e8bf996b41ff2e534f25f5c1e689ae5f9c094e83a27f8ee5e515565fd00179908630bffa7163e0ae6426

Download Submit
memory/1652-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2308-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download