eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 10:30

Target

eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Size

3.0MB
MD5

a7038af64cd8a9a67548acfbf8bc7346
SHA1

3e8fff19f10beea0a0ba384e822a6f7e6ffdcff6
SHA256

eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab
SHA512

560a10f986bf0a138535b2f4de6878e27a6804c07eb6271a0abe6e668b2794052117d7d7b02d13f57c30b250a1e795eda1d5ec07f142041f7f43ac5ea13b28db
SSDEEP

49152:b6hyfTJOLmn6cbgWK3H1ak3jriNAPArCaaoyKgfI73bUn0I8M3csC:qG9am6cEW0YWyK7aaop13bUn0I8YC

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1984	~~3814996989428952013.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: SeRestorePrivilege	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: 33	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: SeIncBasePriorityPrivilege	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: 33	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: SeIncBasePriorityPrivilege	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: SeBackupPrivilege	1872	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: SeRestorePrivilege	1872	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: 33	1872	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: SeIncBasePriorityPrivilege	1872	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: 33	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
Token: SeIncBasePriorityPrivilege	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1872	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	28
PID 2092 wrote to memory of 1872	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	28
PID 2092 wrote to memory of 1872	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	28
PID 2092 wrote to memory of 1872	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	28
PID 2092 wrote to memory of 1984	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	29
PID 2092 wrote to memory of 1984	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	29
PID 2092 wrote to memory of 1984	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	29
PID 2092 wrote to memory of 1984	2092	eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe	29

C:\Users\Admin\AppData\Local\Temp\eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
"C:\Users\Admin\AppData\Local\Temp\eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe
  PECMD**pecmd-cmd* PUTF "C:\Users\Admin\AppData\Local\Temp\~~3814996989428952013.tmp.exe",,"C:\Users\Admin\AppData\Local\Temp\eb11bed8dc7f38dac0d1baa1a8a65410c63710006b98e1d299e1727ffe59e1ab.exe""#102|SCRIPT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\~~3814996989428952013.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\~~3814996989428952013.tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:1984

C:\Users\Admin\AppData\Local\Temp\~~3814996989428952013.tmp.exe

Filesize
3.8MB

MD5
b32869a6af4b306b52fc6d7ab7004695

SHA1
0bab1ef88963f5e3c7911796517eb00f83cc0e1d

SHA256
ad6094a7c0b72ae972c6e2f9b8948ff9dacdaeb02ebab1e0b69f894cb48e58e3

SHA512
25e8854a88314dea08b9337bf1574180007917e2094bcbcd238de70ca00b148b347d1829d78742446769eef76a78761f09a1d7f1c5001785a405c99556468db2

Download Submit
memory/1984-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1984-21-0x0000000000400000-0x00000000007D5000-memory.dmp

Filesize
3.8MB

Download
memory/1984-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download