f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24

Analysis

max time kernel
145s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 02:17

Target

f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
Size

887KB
MD5

6e91f9d1c4b9fcf81c4a30e99358fde0
SHA1

4eeaf371809f8078e7ed0dc18e196e72c505f871
SHA256

f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24
SHA512

b462cd0cd1d42a7081f254a118f75b58fab8750fd2348155eb04ba932274715899615bf05f8e0e923bb9abe02041ee582158c1e77e8c2df8d9efbd25fc00c3fe
SSDEEP

12288:HWzsaCUc+TcN09kaTUfucrmdztxZcSHg0yJnsumdjANlKk1F:2zs1wmaTU4dRxvgTJsjViB

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

Processes:

f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

description	pid	process	target process
PID 4636 set thread context of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3892 1952 WerFault.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

description pid process

Token: SeDebugPrivilege 4636 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

pid	pid_target	process	target process
3892	1952	WerFault.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

description	pid	process
Token: SeDebugPrivilege	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

description	pid	process	target process
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
PID 4636 wrote to memory of 1952	4636	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe	f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe

C:\Users\Admin\AppData\Local\Temp\f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
C:\Users\Admin\AppData\Local\Temp\f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
2⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 80
3⤵
- Program crash
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1952 -ip 1952
1⤵
PID:3872

memory/1952-132-0x0000000000000000-mapping.dmp

Download
memory/4636-134-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download