Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-01-2025 00:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Powershell Obfuscated 2.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
General
-
Target
Powershell Obfuscated 2.exe
-
Size
292KB
-
MD5
f30af95c3a3c086eebf694c35dda04e2
-
SHA1
345ec2b55213feb12c9d28a8954f9a516002be2b
-
SHA256
7e5bff5c80bb4378e89034d0fee7b956c0b4920f15ce43dc85f103211ec24137
-
SHA512
a439f4c3ba8698399544643e842da15fd13f4e1b96efa49527d0aba5696d0f62daa0137a185f87951969f6cd6bbbafadc356aed376707fce260e2ce8cdd496a9
-
SSDEEP
1536:KIxTgCJepaWKK41pBcGMKs17xij+zdbOtEpfZ+sFIAO:KqTgae4WKK41p5s178j8dSe1Z+uI
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2816 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2816 AUDIODG.EXE Token: 33 2816 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2816 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2180 2832 Powershell Obfuscated 2.exe 30 PID 2832 wrote to memory of 2180 2832 Powershell Obfuscated 2.exe 30 PID 2832 wrote to memory of 2180 2832 Powershell Obfuscated 2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Powershell Obfuscated 2.exe"C:\Users\Admin\AppData\Local\Temp\Powershell Obfuscated 2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2832 -s 5322⤵PID:2180
-
-
C:\Program Files\Windows Defender\MSASCui.exe"C:\Program Files\Windows Defender\MSASCui.exe"1⤵PID:2604
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2996
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1801⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816