1bc4b52e734e78fd92042ff55f58c03735b7fff3eb7bfed5611655d71654a25d

Resubmissions

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 14:50

Target

XqeosvmvOM.exe
Size

22.8MB
MD5

257afe5adb6d820914820f2f34263dc8
SHA1

ab292842fee5e5031ed0d04140b624b81be1ee8e
SHA256

1bc4b52e734e78fd92042ff55f58c03735b7fff3eb7bfed5611655d71654a25d
SHA512

02b1cd08fce41fc59f177f555665551cd8726c679f6a9097a62e929a6a22e15296bdc8b6b7a0712aa635e9b503e236c8f323bfbaefc81e3310e2f773374de52f
SSDEEP

393216:gvctGrxsatYfdIEy7mdFawPxZa+HeMqAuRV5ijdHeqr8r6RbYLL/wXvnrlDGnz:gggxMfdIP7mOwbxVQV4dz8r6RbIL/wXm

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

Kills process with taskkill 2 IoCs

evasion

pid	Process
2804	taskkill.exe
2640	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2256	2984	XqeosvmvOM.exe	28
PID 2984 wrote to memory of 2256	2984	XqeosvmvOM.exe	28
PID 2984 wrote to memory of 2256	2984	XqeosvmvOM.exe	28
PID 2256 wrote to memory of 2804	2256	cmd.exe	30
PID 2256 wrote to memory of 2804	2256	cmd.exe	30
PID 2256 wrote to memory of 2804	2256	cmd.exe	30
PID 2984 wrote to memory of 2536	2984	XqeosvmvOM.exe	32
PID 2984 wrote to memory of 2536	2984	XqeosvmvOM.exe	32
PID 2984 wrote to memory of 2536	2984	XqeosvmvOM.exe	32
PID 2536 wrote to memory of 2640	2536	cmd.exe	34
PID 2536 wrote to memory of 2640	2536	cmd.exe	34
PID 2536 wrote to memory of 2640	2536	cmd.exe	34
PID 2984 wrote to memory of 2568	2984	XqeosvmvOM.exe	35
PID 2984 wrote to memory of 2568	2984	XqeosvmvOM.exe	35
PID 2984 wrote to memory of 2568	2984	XqeosvmvOM.exe	35

C:\Users\Admin\AppData\Local\Temp\XqeosvmvOM.exe
"C:\Users\Admin\AppData\Local\Temp\XqeosvmvOM.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @WECWIshin{%#7$# 4:&ju"8"obotbTe >nul 2>&1
  2⤵
  PID:2568

memory/2984-0-0x000000013FC95000-0x00000001410CF000-memory.dmp

Filesize
20.2MB

Download
memory/2984-1-0x0000000077160000-0x0000000077162000-memory.dmp

Filesize
8KB

Download
memory/2984-10-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download
memory/2984-14-0x000000013FB00000-0x0000000142793000-memory.dmp

Filesize
44.6MB

Download
memory/2984-15-0x000000013FB00000-0x0000000142793000-memory.dmp

Filesize
44.6MB

Download
memory/2984-8-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download
memory/2984-6-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download
memory/2984-5-0x0000000077160000-0x0000000077162000-memory.dmp

Filesize
8KB

Download
memory/2984-16-0x000000013FB00000-0x0000000142793000-memory.dmp

Filesize
44.6MB

Download
memory/2984-3-0x0000000077160000-0x0000000077162000-memory.dmp

Filesize
8KB

Download
memory/2984-17-0x000000013FC95000-0x00000001410CF000-memory.dmp

Filesize
20.2MB

Download
memory/2984-18-0x000000013FB00000-0x0000000142793000-memory.dmp

Filesize
44.6MB

Download