50c003ff481b1ed89785895a34b8ab6f5b31f387d0b2bd404691893ec2fc5879

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 13:28

Reason

Machine shutdown

Target

Loader.exe
Size

11KB
MD5

eb47f3eb3f6c1ce904693029ad5af609
SHA1

660686e7a38d4572f847e8e3c206c3514133b599
SHA256

50c003ff481b1ed89785895a34b8ab6f5b31f387d0b2bd404691893ec2fc5879
SHA512

191a48ac4633217c5cb557dfac459d4510b44399ab0835fbca52d5cb59bf2da4a7ae325577ad911c8325e451d25e221ba50236ab64576661ddb7a5ba10faae38
SSDEEP

192:o+j5EmfluiNkme8WapB6GSTU3Q5tfMcMn:o+j5RflpljBBl3pn

Score

1^/10

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2536	shutdown.exe
Token: SeRemoteShutdownPrivilege	2536	shutdown.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2208	2936	Loader.exe	31
PID 2936 wrote to memory of 2208	2936	Loader.exe	31
PID 2936 wrote to memory of 2208	2936	Loader.exe	31
PID 2208 wrote to memory of 2180	2208	cmd.exe	32
PID 2208 wrote to memory of 2180	2208	cmd.exe	32
PID 2208 wrote to memory of 2180	2208	cmd.exe	32
PID 2936 wrote to memory of 1176	2936	Loader.exe	35
PID 2936 wrote to memory of 1176	2936	Loader.exe	35
PID 2936 wrote to memory of 1176	2936	Loader.exe	35
PID 1176 wrote to memory of 2536	1176	cmd.exe	36
PID 1176 wrote to memory of 2536	1176	cmd.exe	36
PID 1176 wrote to memory of 2536	1176	cmd.exe	36
PID 2936 wrote to memory of 2784	2936	Loader.exe	38
PID 2936 wrote to memory of 2784	2936	Loader.exe	38
PID 2936 wrote to memory of 2784	2936	Loader.exe	38
PID 2784 wrote to memory of 880	2784	cmd.exe	39
PID 2784 wrote to memory of 880	2784	cmd.exe	39
PID 2784 wrote to memory of 880	2784	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /s /f /t 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\system32\shutdown.exe
    shutdown /s /f /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:880

memory/2544-0-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download