a1e9d2a0a36f1cb5b3fd09a3e07335f9987549fca015428369043031e2cc67cc

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 16:13

Target

Unpacked/pppwn/PPPwn GUI 1.5.exe
Size

8.5MB
MD5

62a1d287a17007f98f776e9581de43f0
SHA1

3cd8aa22cf404c2b985c779e0653bdf6074cff3d
SHA256

de1a2c5f67fef973d84d32e8d469d5ac7f1f0aa071e35260ff0c959705b13b29
SHA512

2d4fa3f61f420912cf5a6531fac05414f3e3de7bc02e02aaddfe60314ccf3fa8f5d250681238643b02d9feb853e06a686faebfc68771932612420980e385fe84
SSDEEP

196608:UbvpiZgqLDs2PxBRKb5ZWDl98canLcWnPOA+j8OGE3BbbRYl:48ZZHPx3gZpVdGR9xJRYl

Score

1^/10

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2588 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2588 taskkill.exe

pid	process
2588	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2588	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PPPwn GUI 1.5.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 2260	1700	PPPwn GUI 1.5.exe	cmd.exe
PID 1700 wrote to memory of 2260	1700	PPPwn GUI 1.5.exe	cmd.exe
PID 1700 wrote to memory of 2260	1700	PPPwn GUI 1.5.exe	cmd.exe
PID 2260 wrote to memory of 2588	2260	cmd.exe	taskkill.exe
PID 2260 wrote to memory of 2588	2260	cmd.exe	taskkill.exe
PID 2260 wrote to memory of 2588	2260	cmd.exe	taskkill.exe
PID 1700 wrote to memory of 1716	1700	PPPwn GUI 1.5.exe	pppwn_.exe
PID 1700 wrote to memory of 1716	1700	PPPwn GUI 1.5.exe	pppwn_.exe
PID 1700 wrote to memory of 1716	1700	PPPwn GUI 1.5.exe	pppwn_.exe

C:\Users\Admin\AppData\Local\Temp\Unpacked\pppwn\PPPwn GUI 1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Unpacked\pppwn\PPPwn GUI 1.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /IM pppwn_.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\Unpacked\pppwn\exploit\pppwn_.exe
"exploit\pppwn_.exe" --interface="Ethernet" --fw=1100 --stage1=exploit\stage1\stage1_1100.bin --stage2=exploit\stage2\stage2_1100.bin
2⤵
PID:1716

memory/1700-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/1700-1-0x0000000000D40000-0x00000000015C2000-memory.dmp

Filesize
8.5MB

Download
memory/1700-2-0x00000000064A0000-0x0000000006A44000-memory.dmp

Filesize
5.6MB

Download
memory/1700-3-0x0000000006A50000-0x0000000006F44000-memory.dmp

Filesize
5.0MB

Download
memory/1700-4-0x00000000063C0000-0x0000000006452000-memory.dmp

Filesize
584KB

Download
memory/1700-5-0x0000000006480000-0x000000000648A000-memory.dmp

Filesize
40KB

Download
memory/1700-6-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1700-7-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1700-8-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/1700-9-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1700-10-0x0000000007FC0000-0x0000000008146000-memory.dmp

Filesize
1.5MB

Download