aa4046ab8b9a2566c1a35d827ed97ce8f15e0254727d270807505f47d53aaeff

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/02/2023, 13:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
Size

34KB
MD5

b28805a91c77bd56fb47307477c522f8
SHA1

2fffb9e3cef7f3b779884b4d690137c10b266b56
SHA256

aa4046ab8b9a2566c1a35d827ed97ce8f15e0254727d270807505f47d53aaeff
SHA512

c2b602132cd28cdae70d9e03609b23d27f90eb094857caeb0740b56196ae28bbd9982f864f81e145b362a4fea2379e18f21b3f94cd529363ea4a2a536eadad51
SSDEEP

384:kOhNuCCfNNrQKvPWXwEwZhI6hlhxggKWJUw34KljAAlGOBN3z7E7H96vEPnKvFU8:kOWNrrWXnohVxKWaihMbKW+k2RH

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	804	WerFault.exe	45

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1504	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	28
PID 1476 wrote to memory of 1504	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	28
PID 1476 wrote to memory of 1504	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	28
PID 1476 wrote to memory of 432	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	29
PID 1476 wrote to memory of 432	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	29
PID 1476 wrote to memory of 432	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	29
PID 1476 wrote to memory of 272	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	30
PID 1476 wrote to memory of 272	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	30
PID 1476 wrote to memory of 272	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	30
PID 1476 wrote to memory of 564	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	31
PID 1476 wrote to memory of 564	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	31
PID 1476 wrote to memory of 564	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	31
PID 1476 wrote to memory of 876	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	32
PID 1476 wrote to memory of 876	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	32
PID 1476 wrote to memory of 876	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	32
PID 1476 wrote to memory of 1744	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	33
PID 1476 wrote to memory of 1744	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	33
PID 1476 wrote to memory of 1744	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	33
PID 1476 wrote to memory of 1744	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	33
PID 1476 wrote to memory of 1720	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	34
PID 1476 wrote to memory of 1720	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	34
PID 1476 wrote to memory of 1720	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	34
PID 1476 wrote to memory of 1716	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	35
PID 1476 wrote to memory of 1716	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	35
PID 1476 wrote to memory of 1716	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	35
PID 1476 wrote to memory of 1496	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	36
PID 1476 wrote to memory of 1496	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	36
PID 1476 wrote to memory of 1496	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	36
PID 1476 wrote to memory of 568	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	37
PID 1476 wrote to memory of 568	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	37
PID 1476 wrote to memory of 568	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	37
PID 1476 wrote to memory of 268	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	38
PID 1476 wrote to memory of 268	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	38
PID 1476 wrote to memory of 268	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	38
PID 1476 wrote to memory of 668	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	39
PID 1476 wrote to memory of 668	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	39
PID 1476 wrote to memory of 668	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	39
PID 1476 wrote to memory of 1836	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	40
PID 1476 wrote to memory of 1836	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	40
PID 1476 wrote to memory of 1836	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	40
PID 1476 wrote to memory of 1804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	41
PID 1476 wrote to memory of 1804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	41
PID 1476 wrote to memory of 1804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	41
PID 1476 wrote to memory of 1364	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	42
PID 1476 wrote to memory of 1364	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	42
PID 1476 wrote to memory of 1364	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	42
PID 1476 wrote to memory of 1760	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	43
PID 1476 wrote to memory of 1760	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	43
PID 1476 wrote to memory of 1760	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	43
PID 1476 wrote to memory of 1932	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	44
PID 1476 wrote to memory of 1932	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	44
PID 1476 wrote to memory of 1932	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	44
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45
PID 1476 wrote to memory of 804	1476	2fffb9e3cef7f3b779884b4d690137c10b266b56.exe	45

C:\Users\Admin\AppData\Local\Temp\2fffb9e3cef7f3b779884b4d690137c10b266b56.exe
"C:\Users\Admin\AppData\Local\Temp\2fffb9e3cef7f3b779884b4d690137c10b266b56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  PID:804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 304
    3⤵
    - Program crash
    PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/804-58-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1476-54-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

Filesize
56KB

Download
memory/1476-55-0x0000000000590000-0x00000000005FE000-memory.dmp

Filesize
440KB

Download