403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50

Analysis

max time kernel
122s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 23:04

Target

403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
Size

171KB
MD5

82e49b3a536412fc0ce63bcbab060cef
SHA1

553a87bcb033f71c4220e1317ea3d4cc05c27558
SHA256

403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50
SHA512

ca78e9868a6234b3ba1d178e45d879b18fb26052ad228a18e6a97002cfcd3b048f30f7993331ecd55705eedbd2c96ad866970759686b8d78fbe07b0791869ab5
SSDEEP

1536:TA31uITEB3OxdafOgzS8Wk5VSqm9fe8mn9NdZ66GV8WDF4dhyW0MUwtHR/9HRgwr:TC12+r9mSLkyd92cD6jCMZ9tDPt1

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4836	fabyope.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\fabyope.exe	403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4708	4836	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	fabyope.exe
4836	fabyope.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	fabyope.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2576	4836	fabyope.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
  "C:\Users\Admin\AppData\Local\Temp\403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe"
  2⤵
  - Drops file in Program Files directory
  PID:4984

C:\PROGRA~3\Mozilla\fabyope.exe
C:\PROGRA~3\Mozilla\fabyope.exe -pbtetmh
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 556
  2⤵
  - Program crash
  PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4836 -ip 4836
1⤵
PID:1080

C:\PROGRA~3\Mozilla\fabyope.exe

Filesize
171KB

MD5
c5f2bdd3caa57a603368a962b1cafcd9

SHA1
a90d08368a23f083f358bd4715f10496df0204ae

SHA256
def8819ac0b0c972eb45f162b2a4d66a9e6ff2afad27e5957331b43f64ced3f3

SHA512
b982fb18a008de56d9661bd30544e3827e6af0162c339f24d9c705a1e3ed6e52b53f7c4a9587af28f1d0e7f29402c249efd1bb296ab5aaa952d487c7506a625c

Download Submit
C:\ProgramData\Mozilla\fabyope.exe

Filesize
171KB

MD5
c5f2bdd3caa57a603368a962b1cafcd9

SHA1
a90d08368a23f083f358bd4715f10496df0204ae

SHA256
def8819ac0b0c972eb45f162b2a4d66a9e6ff2afad27e5957331b43f64ced3f3

SHA512
b982fb18a008de56d9661bd30544e3827e6af0162c339f24d9c705a1e3ed6e52b53f7c4a9587af28f1d0e7f29402c249efd1bb296ab5aaa952d487c7506a625c

Download Submit
memory/2576-140-0x0000000000E40000-0x0000000000E5C000-memory.dmp

Filesize
112KB

Download
memory/4836-138-0x0000000002080000-0x00000000020DF000-memory.dmp

Filesize
380KB

Download
memory/4836-139-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4836-141-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4984-132-0x00000000021B0000-0x000000000220F000-memory.dmp

Filesize
380KB

Download
memory/4984-133-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4984-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4984-137-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download