Analysis
-
max time kernel
95s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 11:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe
-
Size
258KB
-
MD5
d48e60a39e9b3ff670db0076b945b522
-
SHA1
cbf50709eaff37936988b6edfcce1b0473e00f85
-
SHA256
881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7
-
SHA512
a57e366535a83964a4e244ea69679d69ad6296b44c33a5cae51ffce09c114a40efcd657899aed4fb0ce978174a73bfac5213d246afd590b3f4978d02ef4a1d13
-
SSDEEP
3072:YHSAQy3H57Vh3E8cZdrLQEhZVUnpAT+qq+Fpfb2vz+DVCN7cbp5fRrcZ:YLQyX55h3BcZdr0sZ8+rgyfFo
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1696 881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe 1696 881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1696 881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1696 881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 668 wrote to memory of 2320 668 Process not Found 85 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 3496 668 Process not Found 86 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 1636 668 Process not Found 84 PID 668 wrote to memory of 2188 668 Process not Found 40 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 4744 668 Process not Found 96 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2792 668 Process not Found 47 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2748 668 Process not Found 46 PID 668 wrote to memory of 2792 668 Process not Found 47
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2748
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe"C:\Users\Admin\AppData\Local\Temp\881b6e5422d2ffd4737f7c86b35d4515b2935ade508643e0b8a0bbf65fb58db7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1636
-
\Windows\System32\lsass.exe1⤵PID:2320
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe ee8cdee94d895b60e30ddaf8e18405e1 jYWNCZQNsUSEx/9EojMU0w.0.1.0.0.01⤵PID:3496
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4744