7482f92914781be25169f4e4c1ac9baa1635f010ccd387c76b32d46c10706a98

Analysis

max time kernel
87s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2022 01:32

Target

Install/install.exe
Size

667.6MB
MD5

c079e46750d30cd8dba3e3f4dc578f0d
SHA1

c5ceebca812287df8b083a617dc18dcb8cc36bc2
SHA256

de5468503932284b29e00fa73decc336d74547d58d570182b1c138dc0f90da2a
SHA512

073ae57220fb4872e3fc1924f7c5d56a503d0be459436044e0bf84b77346f33c7fb7ae8383db61a9b4f46f26a9dfddfa6e64f87182e37d77ebe83e9d9efc87c7
SSDEEP

49152:pFeG4SFMeyl8OM5WdFU7Dz/RLrsarvtZF4c10sqKheP:be1S8l8OAZ/RLrsarx4w0sqQe

Score

6^/10

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 97784	4920	install.exe	81

Program crash 1 IoCs

pid	pid_target	Process	procid_target
97976	4920	WerFault.exe	79

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	97784	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 97784	4920	install.exe	81
PID 4920 wrote to memory of 97784	4920	install.exe	81
PID 4920 wrote to memory of 97784	4920	install.exe	81
PID 4920 wrote to memory of 97784	4920	install.exe	81
PID 4920 wrote to memory of 97784	4920	install.exe	81

C:\Users\Admin\AppData\Local\Temp\Install\install.exe
"C:\Users\Admin\AppData\Local\Temp\Install\install.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:97784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 94800
  2⤵
  - Program crash
  PID:97976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4920 -ip 4920
1⤵
PID:97856

memory/97784-132-0x0000000000000000-mapping.dmp

Download
memory/97784-133-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-138-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-139-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-140-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-141-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-143-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-145-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-146-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-149-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-151-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-152-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/97784-154-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download