d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459

Analysis

max time kernel
91s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:45

Target

d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
Size

71KB
MD5

0a554676ea50a2c9ed1f45998f00c386
SHA1

1cdc0ed2c93040df08c64c002dc32034d82c746f
SHA256

d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459
SHA512

fd7b081ac8c4cc6830b75a4c9fdfe2445894e2a09daaabea38184323fa7890aa24293d106d24651e1a0105904c2bb920585ff2750dc3358d0a8c04ffb20b8f4e
SSDEEP

1536:dDHZHYqvKqJdYxXimwLZXZtn5KLZyTDGm/Xcg:ZBlYxPqZX5K0HGm/cg

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

Processes:

d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

description	pid	process	target process
PID 3836 set thread context of 3244	3836	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

Drops file in Program Files directory 4 IoCs

Processes:

d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bifrost\server.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
File created	C:\Program Files (x86)\Bifrost\server.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
File opened for modification	C:\Program Files (x86)\Bifrost\klog.dat	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
File opened for modification	C:\Program Files (x86)\Bifrost	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1500	3836	WerFault.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
3260	3836	WerFault.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

description	pid	process
Token: SeDebugPrivilege	3244	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
Token: SeDebugPrivilege	3244	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

pid process

3244 d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

pid	process
3244	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

description	pid	process	target process
PID 3836 wrote to memory of 3244	3836	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
PID 3836 wrote to memory of 3244	3836	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
PID 3836 wrote to memory of 3244	3836	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
PID 3836 wrote to memory of 3244	3836	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
PID 3836 wrote to memory of 3244	3836	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe	d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe

C:\Users\Admin\AppData\Local\Temp\d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
"C:\Users\Admin\AppData\Local\Temp\d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 220
  2⤵
  - Program crash
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
  C:\Users\Admin\AppData\Local\Temp\d3a5eb35753888cbf3d6f12f2fbb938a7b53be9a47b1b9b4db15170692f18459.exe
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 140
  2⤵
  - Program crash
  PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3836 -ip 3836
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3836 -ip 3836
1⤵
PID:1664

memory/3244-132-0x0000000000000000-mapping.dmp

Download
memory/3244-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3244-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3244-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3244-137-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/3244-138-0x000000004C300000-0x000000004C37A000-memory.dmp

Filesize
488KB

Download
memory/3244-139-0x000000004C300000-0x000000004C37A000-memory.dmp

Filesize
488KB

Download
memory/3244-140-0x00000000006E0000-0x00000000006F3000-memory.dmp

Filesize
76KB

Download
memory/3244-141-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download