63248ad3b64bf52266f0469e79e9f1b733dc0e2882142cf2167d7970b196973a

Analysis

max time kernel
72s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2022 15:53

Target

ave_maria_rat.exe
Size

383KB
MD5

d414115c947793d91a7d5a110053305c
SHA1

3a21e61f797e8abd4aa703f1f0d375d4d4fcc37a
SHA256

65eb2d7d35b22b4edfef16c7ff2f36d79b827145bc94644f7fe915a9378bf361
SHA512

0ab8a96b06ed9baf4f609faa4935fc6bae7ad1a77d0eb75bad03c41e3291505c7427ad457e1b88ad4fb352c3c549cd286ca5b4d0ffeb4ca1a7314dfb7f343b4e
SSDEEP

6144:dN9ydRO4MojT8Nbp2npn5soltfE7k0/PVukfu7Ncgw6cUulYvlJAplDaK0FFvaI:n90E4X8Cniolq/tukG7pw6cllWlJApla

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

Processes:

ave_maria_rat.exe

description pid process target process

PID 5108 set thread context of 1332 5108 ave_maria_rat.exe ave_maria_rat.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1292 1332 WerFault.exe ave_maria_rat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ave_maria_rat.exe

description pid process

Token: SeDebugPrivilege 5108 ave_maria_rat.exe

description	pid	process	target process
PID 5108 set thread context of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe

pid	pid_target	process	target process
1292	1332	WerFault.exe	ave_maria_rat.exe

description	pid	process
Token: SeDebugPrivilege	5108	ave_maria_rat.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ave_maria_rat.exe

description	pid	process	target process
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe
PID 5108 wrote to memory of 1332	5108	ave_maria_rat.exe	ave_maria_rat.exe

C:\Users\Admin\AppData\Local\Temp\ave_maria_rat.exe
C:\Users\Admin\AppData\Local\Temp\ave_maria_rat.exe
2⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 80
3⤵
- Program crash
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1332 -ip 1332
1⤵
PID:372

memory/1332-136-0x0000000000000000-mapping.dmp

Download
memory/5108-132-0x0000000000830000-0x0000000000898000-memory.dmp

Filesize
416KB

Download
memory/5108-133-0x000000000DF10000-0x000000000DFAC000-memory.dmp

Filesize
624KB

Download
memory/5108-134-0x000000000E560000-0x000000000EB04000-memory.dmp

Filesize
5.6MB

Download
memory/5108-135-0x000000000DFB0000-0x000000000E042000-memory.dmp

Filesize
584KB

Download