Analysis
-
max time kernel
4294183s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
31-03-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
d2f181221ba9049c02ed7283c9144c7c.exe
Resource
win7-20220310-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d2f181221ba9049c02ed7283c9144c7c.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
d2f181221ba9049c02ed7283c9144c7c.exe
-
Size
1.7MB
-
MD5
d2f181221ba9049c02ed7283c9144c7c
-
SHA1
b4ed1b4714112d5fc3c7b4673e19ed26ae4c6e85
-
SHA256
f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b
-
SHA512
ab0b9a029489f6b3a091c7823b5523ea3cfd8677b32eddd48ba7e64694e4146c3292589d9d09bd0cc5908c9d86c830ee21e75f8712e6f3a2cba2cfd853f372a1
Score
10/10
Malware Config
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1996 1628 WerFault.exe 20 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1628 d2f181221ba9049c02ed7283c9144c7c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1996 1628 d2f181221ba9049c02ed7283c9144c7c.exe 29 PID 1628 wrote to memory of 1996 1628 d2f181221ba9049c02ed7283c9144c7c.exe 29 PID 1628 wrote to memory of 1996 1628 d2f181221ba9049c02ed7283c9144c7c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f181221ba9049c02ed7283c9144c7c.exe"C:\Users\Admin\AppData\Local\Temp\d2f181221ba9049c02ed7283c9144c7c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1628 -s 12682⤵
- Program crash
PID:1996
-