291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2

Analysis

max time kernel
104s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

8.5MB
MD5

a5afaac697fab2c766051607ae273134
SHA1

4618047e01c29c2b2fc9c7e217fdbfd290dba0d6
SHA256

291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
SHA512

8d1bd9173e4f1ebc464c19dfd44736773a36301bc3f4af57c9c8dd228c47b5d53a97e09465380edb300bb4c4b19bd4883ab7bd3129ba2d3310b4371ef22804c7
SSDEEP

196608:LVWcUXnQ6xnIswB3ys2uypSZ4JCaqcwB3ys2uypSZ4JC7q:LVWcUXnQ6xnIp9zyS4JCaqZ9zyS4JC7q

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
936	taskkill.exe
1568	taskkill.exe
5068	taskkill.exe
4588	taskkill.exe
4728	taskkill.exe
4704	taskkill.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	taskkill.exe
Token: 33	1044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1044	AUDIODG.EXE
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1500	1788	file.exe	87
PID 1788 wrote to memory of 1500	1788	file.exe	87
PID 1788 wrote to memory of 5724	1788	file.exe	88
PID 1788 wrote to memory of 5724	1788	file.exe	88
PID 1788 wrote to memory of 5352	1788	file.exe	89
PID 1788 wrote to memory of 5352	1788	file.exe	89
PID 5724 wrote to memory of 116	5724	cmd.exe	90
PID 5724 wrote to memory of 116	5724	cmd.exe	90
PID 5724 wrote to memory of 2824	5724	cmd.exe	91
PID 5724 wrote to memory of 2824	5724	cmd.exe	91
PID 5724 wrote to memory of 2640	5724	cmd.exe	92
PID 5724 wrote to memory of 2640	5724	cmd.exe	92
PID 5352 wrote to memory of 936	5352	cmd.exe	93
PID 5352 wrote to memory of 936	5352	cmd.exe	93
PID 1788 wrote to memory of 4392	1788	file.exe	96
PID 1788 wrote to memory of 4392	1788	file.exe	96
PID 4392 wrote to memory of 1568	4392	cmd.exe	97
PID 4392 wrote to memory of 1568	4392	cmd.exe	97
PID 1788 wrote to memory of 2672	1788	file.exe	98
PID 1788 wrote to memory of 2672	1788	file.exe	98
PID 2672 wrote to memory of 5068	2672	cmd.exe	99
PID 2672 wrote to memory of 5068	2672	cmd.exe	99
PID 1788 wrote to memory of 5896	1788	file.exe	100
PID 1788 wrote to memory of 5896	1788	file.exe	100
PID 5896 wrote to memory of 4588	5896	cmd.exe	101
PID 5896 wrote to memory of 4588	5896	cmd.exe	101
PID 1788 wrote to memory of 4708	1788	file.exe	102
PID 1788 wrote to memory of 4708	1788	file.exe	102
PID 4708 wrote to memory of 4728	4708	cmd.exe	103
PID 4708 wrote to memory of 4728	4708	cmd.exe	103
PID 1788 wrote to memory of 4760	1788	file.exe	104
PID 1788 wrote to memory of 4760	1788	file.exe	104
PID 4760 wrote to memory of 4704	4760	cmd.exe	105
PID 4760 wrote to memory of 4704	4760	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color F0
  2⤵
  PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\file.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5724
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\file.exe" MD5
    3⤵
    PID:116
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2824
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x464
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads