a11e5e97a308ee046545cfe0167079f89968f9a1d7ae0b8a9dbc7dc39cbe2e09

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gunzipped.exe
Size

123KB
MD5

dd4f5cbd58b0f61c045bb5dd0a843fa5
SHA1

689376a01eedaa37df77f054efbcb48ab637856d
SHA256

a11e5e97a308ee046545cfe0167079f89968f9a1d7ae0b8a9dbc7dc39cbe2e09
SHA512

081101de416c8422009fe125e7f1d047a83e11dc710439bff2b2d52f810d263aacea18a3f82fc0a6d791e90362f7a14bcaf0143003ae0ec70616e6b0eb81495b
SSDEEP

1536:0+feNoQi3CjLGpIccs2SxXTf2WN9+Zu4VqWwryRNPTYtxYTnAeHz5JTpSUDzctjr:Uoh9csuWCSkN0wnA6z57SmCo8H

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe
2148	gunzipped.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	gunzipped.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2296	2148	gunzipped.exe	30
PID 2148 wrote to memory of 2296	2148	gunzipped.exe	30
PID 2148 wrote to memory of 2296	2148	gunzipped.exe	30
PID 2148 wrote to memory of 2296	2148	gunzipped.exe	30
PID 2148 wrote to memory of 2424	2148	gunzipped.exe	31
PID 2148 wrote to memory of 2424	2148	gunzipped.exe	31
PID 2148 wrote to memory of 2424	2148	gunzipped.exe	31
PID 2148 wrote to memory of 2424	2148	gunzipped.exe	31
PID 2148 wrote to memory of 2180	2148	gunzipped.exe	32
PID 2148 wrote to memory of 2180	2148	gunzipped.exe	32
PID 2148 wrote to memory of 2180	2148	gunzipped.exe	32
PID 2148 wrote to memory of 2180	2148	gunzipped.exe	32
PID 2148 wrote to memory of 2092	2148	gunzipped.exe	33
PID 2148 wrote to memory of 2092	2148	gunzipped.exe	33
PID 2148 wrote to memory of 2092	2148	gunzipped.exe	33
PID 2148 wrote to memory of 2092	2148	gunzipped.exe	33
PID 2148 wrote to memory of 2316	2148	gunzipped.exe	34
PID 2148 wrote to memory of 2316	2148	gunzipped.exe	34
PID 2148 wrote to memory of 2316	2148	gunzipped.exe	34
PID 2148 wrote to memory of 2316	2148	gunzipped.exe	34
PID 2148 wrote to memory of 1712	2148	gunzipped.exe	35
PID 2148 wrote to memory of 1712	2148	gunzipped.exe	35
PID 2148 wrote to memory of 1712	2148	gunzipped.exe	35
PID 2148 wrote to memory of 1712	2148	gunzipped.exe	35
PID 2148 wrote to memory of 2672	2148	gunzipped.exe	36
PID 2148 wrote to memory of 2672	2148	gunzipped.exe	36
PID 2148 wrote to memory of 2672	2148	gunzipped.exe	36
PID 2148 wrote to memory of 2672	2148	gunzipped.exe	36
PID 2148 wrote to memory of 2280	2148	gunzipped.exe	37
PID 2148 wrote to memory of 2280	2148	gunzipped.exe	37
PID 2148 wrote to memory of 2280	2148	gunzipped.exe	37
PID 2148 wrote to memory of 2280	2148	gunzipped.exe	37
PID 2148 wrote to memory of 2544	2148	gunzipped.exe	38
PID 2148 wrote to memory of 2544	2148	gunzipped.exe	38
PID 2148 wrote to memory of 2544	2148	gunzipped.exe	38
PID 2148 wrote to memory of 2544	2148	gunzipped.exe	38
PID 2148 wrote to memory of 2072	2148	gunzipped.exe	39
PID 2148 wrote to memory of 2072	2148	gunzipped.exe	39
PID 2148 wrote to memory of 2072	2148	gunzipped.exe	39
PID 2148 wrote to memory of 2072	2148	gunzipped.exe	39

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2148-1-0x00000000012E0000-0x0000000001304000-memory.dmp

Filesize
144KB

Download
memory/2148-2-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2148-3-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2148-4-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download