7039fabc43e34d0cce367e1e6fb99cc4d76cf6dfa36b8131e57b7ee3453687fe | Triage

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2023, 11:18

Sharing

Report Analysis Logs

General

Target

BypassCredGuard.exe
Size

1.1MB
MD5

24e9af62fb9154f3fda6a72fd1afe678
SHA1

51239090c14895a04628a38f4c36948b4b7cc0b8
SHA256

7039fabc43e34d0cce367e1e6fb99cc4d76cf6dfa36b8131e57b7ee3453687fe
SHA512

cd6f670ac0ac896aeefb3c6ee6b445b08e9ca3f404d93ac0f3726a297c5058c923a9c8d3235eb3181ef232af807613296bcc754de8a85bb09cf991130bc6fc42
SSDEEP

12288:3bUzm3h0EPX3Mf3d/aRebDLOuiXhYhZjrtEt6TpeOCDodCO53z:3b0m3hhPX3eN/aRuDLOChZn9vlz

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	BypassCredGuard.exe
1192	BypassCredGuard.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	BypassCredGuard.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 660	1192	BypassCredGuard.exe	6
PID 1192 wrote to memory of 660	1192	BypassCredGuard.exe	6

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\BypassCredGuard.exe
"C:\Users\Admin\AppData\Local\Temp\BypassCredGuard.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-132-0x00007FF6C7830000-0x00007FF6C79AD000-memory.dmp

Filesize
1.5MB

Download