1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585

Analysis

max time kernel
165s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 19:54

Target

1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe
Size

393KB
MD5

00890653ba8c1302d15b0fb5d17c2337
SHA1

61edfd5d9f2cfdc1158e97259cc7ab2d230edc22
SHA256

1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585
SHA512

37d928b09c7b5b4719d9540e2449ca68eb1351be87d964df7797a9f1d0b457fa596285017e4a3b61248a7553f2b1b747d205ba77523635639eb7b647b94bfb76
SSDEEP

6144:IZWMfwaaMrMM2gGEghjdQLYpfuHB/e5QaLrN36pgVZv2JL3r77a:IJ0MAMIjdQUpfo/e5Q23sLX

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1904	jlguaji.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1040	1904	WerFault.exe	85
2808	1904	WerFault.exe	85

Kills process with taskkill 1 IoCs

evasion

pid	Process
440	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 440	4800	1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe	83
PID 4800 wrote to memory of 440	4800	1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe	83
PID 4800 wrote to memory of 440	4800	1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe	83
PID 4800 wrote to memory of 1904	4800	1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe	85
PID 4800 wrote to memory of 1904	4800	1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe	85
PID 4800 wrote to memory of 1904	4800	1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe	85

C:\Users\Admin\AppData\Local\Temp\1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe
"C:\Users\Admin\AppData\Local\Temp\1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Users\Admin\AppData\Roaming\Spiritsoft\urlspirit\jlguaji.exe
  C:\Users\Admin\AppData\Roaming\Spiritsoft\urlspirit\jlguaji.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 556
    3⤵
    - Program crash
    PID:1040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 576
    3⤵
    - Program crash
    PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1904 -ip 1904
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1904 -ip 1904
1⤵
PID:4160

C:\Users\Admin\AppData\Roaming\Spiritsoft\urlspirit\jlguaji.exe

Filesize
338KB

MD5
a810072c0884629f04fd17481b385751

SHA1
3354a25a544307de15d7a51375127021ddf66c96

SHA256
7684717985a61b600f128fed6cae8b2f72a9d1accb3f598ba121bdde7396091f

SHA512
5c0b8ff931fb54d6577ffb6707c567173ec8cb2c2c270ce01c400f2227694c87c9b88a8fde1fb2b107d8489e98afb7f38e4e7f423429f31a5a9f9394d5007fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Spiritsoft\urlspirit\jlguaji.exe

Filesize
338KB

MD5
a810072c0884629f04fd17481b385751

SHA1
3354a25a544307de15d7a51375127021ddf66c96

SHA256
7684717985a61b600f128fed6cae8b2f72a9d1accb3f598ba121bdde7396091f

SHA512
5c0b8ff931fb54d6577ffb6707c567173ec8cb2c2c270ce01c400f2227694c87c9b88a8fde1fb2b107d8489e98afb7f38e4e7f423429f31a5a9f9394d5007fd2

Download Submit