4c73d23d866eacbd8d16ed7cd045f24979734901d2ae4420a2f98a94bea88be3

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 18:45

Target

2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe
Size

128KB
MD5

2d6df574ed67dd1e6f04ea4977b01912
SHA1

371ecc2fcaa2bc19b7bb66700df55aa85963df53
SHA256

4c73d23d866eacbd8d16ed7cd045f24979734901d2ae4420a2f98a94bea88be3
SHA512

177c36aecb508f2345db91e0495f5b58a7b2cfb9e414d157e79edc4dbe4f489853c4b1625b9c519f166acfc56a3576650b9c08c7d55fd4b56b469b62d3a87600
SSDEEP

3072:G/6wJQi3diipak1sGb6cUmGvmul4VKwXzvdoG69o0:06tiNik/YnlEJBg

Score

1^/10

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	304	msiexec.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	304	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	304	msiexec.exe
Token: SeLockMemoryPrivilege	304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	304	msiexec.exe
Token: SeMachineAccountPrivilege	304	msiexec.exe
Token: SeTcbPrivilege	304	msiexec.exe
Token: SeSecurityPrivilege	304	msiexec.exe
Token: SeTakeOwnershipPrivilege	304	msiexec.exe
Token: SeLoadDriverPrivilege	304	msiexec.exe
Token: SeSystemProfilePrivilege	304	msiexec.exe
Token: SeSystemtimePrivilege	304	msiexec.exe
Token: SeProfSingleProcessPrivilege	304	msiexec.exe
Token: SeIncBasePriorityPrivilege	304	msiexec.exe
Token: SeCreatePagefilePrivilege	304	msiexec.exe
Token: SeCreatePermanentPrivilege	304	msiexec.exe
Token: SeBackupPrivilege	304	msiexec.exe
Token: SeRestorePrivilege	304	msiexec.exe
Token: SeShutdownPrivilege	304	msiexec.exe
Token: SeDebugPrivilege	304	msiexec.exe
Token: SeAuditPrivilege	304	msiexec.exe
Token: SeSystemEnvironmentPrivilege	304	msiexec.exe
Token: SeChangeNotifyPrivilege	304	msiexec.exe
Token: SeRemoteShutdownPrivilege	304	msiexec.exe
Token: SeUndockPrivilege	304	msiexec.exe
Token: SeSyncAgentPrivilege	304	msiexec.exe
Token: SeEnableDelegationPrivilege	304	msiexec.exe
Token: SeManageVolumePrivilege	304	msiexec.exe
Token: SeImpersonatePrivilege	304	msiexec.exe
Token: SeCreateGlobalPrivilege	304	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1704	2524	2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1704	2524	2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1704	2524	2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1704	2524	2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe	30
PID 1704 wrote to memory of 304	1704	cmd.exe	32
PID 1704 wrote to memory of 304	1704	cmd.exe	32
PID 1704 wrote to memory of 304	1704	cmd.exe	32
PID 1704 wrote to memory of 304	1704	cmd.exe	32
PID 1704 wrote to memory of 304	1704	cmd.exe	32
PID 1704 wrote to memory of 304	1704	cmd.exe	32
PID 1704 wrote to memory of 304	1704	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\Temp\a00568.bat" "C:\Users\Admin\AppData\Local\Temp\2d6df574ed67dd1e6f04ea4977b01912_JaffaCakes118.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "AcronisTrueImageSetup.msi" PIDKEY=AUPNP-VJ7QU-VEA2N-T3Q46-Y3ZJ9 /qn /norestart
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:304

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\Temp\a00568.bat

Filesize
106B

MD5
9fc60ebbb81eab4f4d0a4efc1b18c949

SHA1
fe71d13192e776d112d8643e25e3cc0cb92b05a3

SHA256
3c23bb8d49aab0a5bc76366b9934a2c33e69ebd34340d1c8a39bec39ddde884d

SHA512
d5d04e3b9f3009688fe032ac411ccbc3ae261c1eea11600d83cd31bc2dd37875a7be500ddc339a9b6083117e72a9062932a8f1a51e5d920678829a27aa8d0ce6

Download Submit
memory/2524-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download