0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f

Analysis

max time kernel
131s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2023, 03:46

Target

0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe
Size

75KB
MD5

ee9c6e60027c8ce65003de32d6125914
SHA1

97872dbc8df6d6c4cc6419e81994336503c748f9
SHA256

0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f
SHA512

78b53a0b34ffca4bc07b318ae8d23c3a74a9fb3ab2801e25888f1cf7690cb8ed72460ff36d11b3ddeebfd15e2a62e353efb63b7a9c2ae2a15607875ca1052bb3
SSDEEP

768:FbzkUtPX9DUetap1YOc8tmmSuDsCHJexou+nPp18vjILhussGdamRv5qmppQHUdv:SaX1LGfDpRRuI0PuvtOuSG4yr

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3512	3628	WerFault.exe	80

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open\command	0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum	0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell	0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.quantum\shell\Open	0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3628	0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe
Token: SeDebugPrivilege	3628	0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe

C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe
"C:\Users\Admin\AppData\Local\Temp\0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3628
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3628 -s 656
  2⤵
  - Program crash
  PID:3512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 176 -p 3628 -ip 3628
1⤵
PID:5080