794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3

Resubmissions

16-10-2022 11:14

221016-ncgzsshea7 5

16-10-2022 10:56

221016-m1tg3ahch8 3

Analysis

max time kernel
229s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2022 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Size

3.8MB
MD5

0b9e4955640036d32148e1dd52b85cf0
SHA1

2ae01aa674711ab20d0dc930dba49fceeed4e6c9
SHA256

794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3
SHA512

71d3d65ae511d0e49f76a9e0ab46c9338a67378444a76f1befae9fb1e9fdfd3ec4dbb13ec163cb64962b2ef51520b6394974aeda865bea28a4b43a2bb321b52b
SSDEEP

98304:17XaDyFUzyGg6DlGfuDKXe5StV354CJm9A2H:EgYlN8kS3x+

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 1028	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2028	1028	WerFault.exe	83

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeSecurityPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
Token: SeBackupPrivilege	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1028	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe	83
PID 2576 wrote to memory of 1028	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe	83
PID 2576 wrote to memory of 1028	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe	83
PID 2576 wrote to memory of 1028	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe	83
PID 2576 wrote to memory of 1028	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe	83
PID 2576 wrote to memory of 1028	2576	794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe	83

C:\Users\Admin\AppData\Local\Temp\794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe
"C:\Users\Admin\AppData\Local\Temp\794bb4b18eafd40fc2ef38848b96dc23c7ad682379c8c9acd1c53dc86edb2ae3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  /Processid:-c
  2⤵
  PID:1028
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1028 -s 772
    3⤵
    - Program crash
    PID:2028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1028 -ip 1028
1⤵
PID:4604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-151-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-179-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-180-0x00007FFB85B20000-0x00007FFB865E1000-memory.dmp

Filesize
10.8MB

Download
memory/1028-177-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-176-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-173-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-172-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-169-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-170-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-141-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-155-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-146-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-167-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-147-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-149-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-148-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-152-0x00007FFB85B20000-0x00007FFB865E1000-memory.dmp

Filesize
10.8MB

Download
memory/1028-166-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-164-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-163-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-157-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2576-156-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/2576-139-0x00007FFBA1BC0000-0x00007FFBA1E89000-memory.dmp

Filesize
2.8MB

Download
memory/2576-162-0x00007FFBA27D0000-0x00007FFBA287C000-memory.dmp

Filesize
688KB

Download
memory/2576-132-0x0000029262C10000-0x0000029262FE2000-memory.dmp

Filesize
3.8MB

Download
memory/2576-158-0x00007FFBA39B0000-0x00007FFBA3A6E000-memory.dmp

Filesize
760KB

Download
memory/2576-140-0x00007FFBA27D0000-0x00007FFBA287C000-memory.dmp

Filesize
688KB

Download
memory/2576-143-0x00007FFBA39B0000-0x00007FFBA3A6E000-memory.dmp

Filesize
760KB

Download
memory/2576-160-0x00007FFBA1BC0000-0x00007FFBA1E89000-memory.dmp

Filesize
2.8MB

Download
memory/2576-133-0x00007FFB85B20000-0x00007FFB865E1000-memory.dmp

Filesize
10.8MB

Download
memory/2576-145-0x00007FFBA1BC0000-0x00007FFBA1E89000-memory.dmp

Filesize
2.8MB

Download
memory/2576-138-0x00007FFBA39B0000-0x00007FFBA3A6E000-memory.dmp

Filesize
760KB

Download
memory/2576-137-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/2576-136-0x000002927EEB0000-0x000002927F37C000-memory.dmp

Filesize
4.8MB

Download
memory/2576-135-0x0000029264B10000-0x0000029264B22000-memory.dmp

Filesize
72KB

Download
memory/2576-154-0x00007FFB85B20000-0x00007FFB865E1000-memory.dmp

Filesize
10.8MB

Download
memory/2576-134-0x00007FFB85B20000-0x00007FFB865E1000-memory.dmp

Filesize
10.8MB

Download