be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 03:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
Size

19KB
MD5

0ea93be3e01f5f04f45065e9b765dfa2
SHA1

6a8d20dbe318fccd9208615d29d7e411b82978bc
SHA256

be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156
SHA512

3679eec6e3012fad456b82f3b9d24151b69e14fc8a60f09dc7e9fa7742d3b7b48226a50bf0f4600256a227244089c2857c1d2ea4384958196a78d8b3665698bf
SSDEEP

384:177ekgGt+GTfeJTjdep2DiAM8NtzVrjECvpTZ7YZiiay9ycyrsR2vZ:UypiYin8ycyrsR2vZ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2420	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	28
PID 2936 wrote to memory of 2420	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	28
PID 2936 wrote to memory of 2420	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	28
PID 2936 wrote to memory of 2420	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	28
PID 2936 wrote to memory of 1604	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	29
PID 2936 wrote to memory of 1604	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	29
PID 2936 wrote to memory of 1604	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	29
PID 2936 wrote to memory of 1604	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	29
PID 2936 wrote to memory of 2056	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	30
PID 2936 wrote to memory of 2056	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	30
PID 2936 wrote to memory of 2056	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	30
PID 2936 wrote to memory of 2056	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	30
PID 2936 wrote to memory of 1628	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	31
PID 2936 wrote to memory of 1628	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	31
PID 2936 wrote to memory of 1628	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	31
PID 2936 wrote to memory of 1628	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	31
PID 2936 wrote to memory of 1888	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	32
PID 2936 wrote to memory of 1888	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	32
PID 2936 wrote to memory of 1888	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	32
PID 2936 wrote to memory of 1888	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	32
PID 2936 wrote to memory of 1736	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	33
PID 2936 wrote to memory of 1736	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	33
PID 2936 wrote to memory of 1736	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	33
PID 2936 wrote to memory of 1736	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	33
PID 2936 wrote to memory of 1212	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	34
PID 2936 wrote to memory of 1212	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	34
PID 2936 wrote to memory of 1212	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	34
PID 2936 wrote to memory of 1212	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	34
PID 2936 wrote to memory of 1892	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	35
PID 2936 wrote to memory of 1892	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	35
PID 2936 wrote to memory of 1892	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	35
PID 2936 wrote to memory of 1892	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	35
PID 2936 wrote to memory of 2268	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	36
PID 2936 wrote to memory of 2268	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	36
PID 2936 wrote to memory of 2268	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	36
PID 2936 wrote to memory of 2268	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	36
PID 2936 wrote to memory of 2264	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	37
PID 2936 wrote to memory of 2264	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	37
PID 2936 wrote to memory of 2264	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	37
PID 2936 wrote to memory of 2264	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	37
PID 2936 wrote to memory of 2888	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	38
PID 2936 wrote to memory of 2888	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	38
PID 2936 wrote to memory of 2888	2936	be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe	38

C:\Users\Admin\AppData\Local\Temp\be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe
"C:\Users\Admin\AppData\Local\Temp\be8ea87d52a6570b9076067c31f86ebb6a185b5c2ef94a7f3a1dab50829f0156.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2264
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2936 -s 1240
  2⤵
  PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2936-0-0x000007FEF5893000-0x000007FEF5894000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2936-2-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2936-3-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-4-0x000007FEF5893000-0x000007FEF5894000-memory.dmp

Filesize
4KB

Download
memory/2936-5-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

Filesize
9.9MB

Download