Analysis
-
max time kernel
92s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 15:09
Behavioral task
behavioral1
Sample
bT5b.exe
Resource
win7-20231215-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
bT5b.exe
Resource
win10v2004-20231215-en
2 signatures
150 seconds
General
-
Target
bT5b.exe
-
Size
32KB
-
MD5
287fbbbc69050158902e5a297a4693bf
-
SHA1
ac8fea9c0d591a0dc8d46e6e1450e79697c62596
-
SHA256
7d86de2d2e6cd118653666fd446f52370e890e3f72ba30de620abdea1f514822
-
SHA512
a22cf7084ff85567bc482b7da5cf8cd2d78c4b5653c1b87cc23ad3cf1330b836f87300a84fb67a34177a15179ad21218b296c5a35b79fe5b43725cb77e74ea3e
-
SSDEEP
384:Q0bUe5XB4e0X7OZOiaXLilpknDAWTEtTUFQqz9eObbG:VT9BuCjaXWlZwbG
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
bT5b.exedescription pid process Token: SeDebugPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe Token: 33 1356 bT5b.exe Token: SeIncBasePriorityPrivilege 1356 bT5b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bT5b.exedescription pid process target process PID 1356 wrote to memory of 4108 1356 bT5b.exe cmd.exe PID 1356 wrote to memory of 4108 1356 bT5b.exe cmd.exe PID 1356 wrote to memory of 4108 1356 bT5b.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bT5b.exe"C:\Users\Admin\AppData\Local\Temp\bT5b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.execmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\bT5b.exe"2⤵PID:4108