6d4aa425810a16dd447ef4382bf70a95683578c56ad8ee2abe60e5a13bcdadee

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 22:38

Target

6d4aa425810a16dd447ef4382bf70a95683578c56ad8ee2abe60e5a13bcdadee.exe
Size

201KB
MD5

b8ff12a993665cc870e5ceaa026fc30a
SHA1

77177e5d8465cabb7a26bd445cd5ff0bcd2b8ab7
SHA256

6d4aa425810a16dd447ef4382bf70a95683578c56ad8ee2abe60e5a13bcdadee
SHA512

79d6d4d3634e47f2eb26a5bc7d10ff0dc28e3d211eab179c55f09e3d3e234ff618e1446934d7886bc91c38f19b142ef36baadd0f5906475f63f3908abd6b8386
SSDEEP

3072:0oUvg4fqjO00Yhxumzc6QIFqC067xd8xYCm9YvQd2p:0ojV0Yvzc6QIFqCNFd8Xjp

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3040	tbckyxk.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\tbckyxk.exe	6d4aa425810a16dd447ef4382bf70a95683578c56ad8ee2abe60e5a13bcdadee.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	tbckyxk.exe
Token: SeDebugPrivilege	1176	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2020	6d4aa425810a16dd447ef4382bf70a95683578c56ad8ee2abe60e5a13bcdadee.exe
3040	tbckyxk.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3040	2312	taskeng.exe	29
PID 2312 wrote to memory of 3040	2312	taskeng.exe	29
PID 2312 wrote to memory of 3040	2312	taskeng.exe	29
PID 2312 wrote to memory of 3040	2312	taskeng.exe	29
PID 3040 wrote to memory of 1176	3040	tbckyxk.exe	21

C:\Windows\system32\taskeng.exe
taskeng.exe {B0C74251-6EF6-417A-9563-93E26C829358} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\PROGRA~3\Mozilla\tbckyxk.exe
  C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3040

C:\PROGRA~3\Mozilla\tbckyxk.exe

Filesize
201KB

MD5
46971d231711148033937517580b3bb9

SHA1
930b0758a5e2c4eea07c78fe75f5e4ab25d1ce87

SHA256
704f54fb0cbdea5fcc38821b36202b3a01fb770001cedddbe68d59dd7ce7e71d

SHA512
ad29b331b1d28b03e9f45d937f47e60f863e844ae807685421cf238826fd863168de425cb73c8016cd25f6c1db733b469e386a6500bbbe7a9875efc40e2672d8

Download Submit
memory/1176-8-0x00000000021F0000-0x000000000220C000-memory.dmp

Filesize
112KB

Download
memory/1176-10-0x00000000021F0000-0x000000000220C000-memory.dmp

Filesize
112KB

Download
memory/2020-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2020-0-0x0000000000240000-0x000000000029F000-memory.dmp

Filesize
380KB

Download
memory/2020-3-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3040-6-0x0000000000350000-0x00000000003AF000-memory.dmp

Filesize
380KB

Download
memory/3040-7-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3040-13-0x0000000000350000-0x00000000003AF000-memory.dmp

Filesize
380KB

Download
memory/3040-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download