45e9824c87d284abd7072c0eb8c2bfdbeba2eb0b15005c36499df62d370f310e

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/03/2023, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

808KB
MD5

7cd39f854e71cb4fc42e0318032d0c4c
SHA1

63b231e6336be60d274c696e926c06a91ce85185
SHA256

45e9824c87d284abd7072c0eb8c2bfdbeba2eb0b15005c36499df62d370f310e
SHA512

150c7d04499734019de685a866861311a1e1eb56bd9926d9e4b35fbae20d2edebd2aa3ca0a045c9b84aa3751dd1ae6f115a725b2cb42b278c7d32f0c640e7acb
SSDEEP

24576:GCD34eBS4FDvRdNcsYk8BfOhFtoBtqC8JWhbr:v34R4FD9csYkqUF2tsgbr

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 1496	1376	tmp.exe	41

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	1496	WerFault.exe	41

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe
1376	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	tmp.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2012	1376	tmp.exe	28
PID 1376 wrote to memory of 2012	1376	tmp.exe	28
PID 1376 wrote to memory of 2012	1376	tmp.exe	28
PID 1376 wrote to memory of 2004	1376	tmp.exe	29
PID 1376 wrote to memory of 2004	1376	tmp.exe	29
PID 1376 wrote to memory of 2004	1376	tmp.exe	29
PID 1376 wrote to memory of 1624	1376	tmp.exe	30
PID 1376 wrote to memory of 1624	1376	tmp.exe	30
PID 1376 wrote to memory of 1624	1376	tmp.exe	30
PID 1376 wrote to memory of 296	1376	tmp.exe	31
PID 1376 wrote to memory of 296	1376	tmp.exe	31
PID 1376 wrote to memory of 296	1376	tmp.exe	31
PID 1376 wrote to memory of 296	1376	tmp.exe	31
PID 1376 wrote to memory of 1988	1376	tmp.exe	36
PID 1376 wrote to memory of 1988	1376	tmp.exe	36
PID 1376 wrote to memory of 1988	1376	tmp.exe	36
PID 1376 wrote to memory of 1340	1376	tmp.exe	33
PID 1376 wrote to memory of 1340	1376	tmp.exe	33
PID 1376 wrote to memory of 1340	1376	tmp.exe	33
PID 1376 wrote to memory of 304	1376	tmp.exe	32
PID 1376 wrote to memory of 304	1376	tmp.exe	32
PID 1376 wrote to memory of 304	1376	tmp.exe	32
PID 1376 wrote to memory of 656	1376	tmp.exe	35
PID 1376 wrote to memory of 656	1376	tmp.exe	35
PID 1376 wrote to memory of 656	1376	tmp.exe	35
PID 1376 wrote to memory of 588	1376	tmp.exe	34
PID 1376 wrote to memory of 588	1376	tmp.exe	34
PID 1376 wrote to memory of 588	1376	tmp.exe	34
PID 1376 wrote to memory of 520	1376	tmp.exe	37
PID 1376 wrote to memory of 520	1376	tmp.exe	37
PID 1376 wrote to memory of 520	1376	tmp.exe	37
PID 1376 wrote to memory of 580	1376	tmp.exe	38
PID 1376 wrote to memory of 580	1376	tmp.exe	38
PID 1376 wrote to memory of 580	1376	tmp.exe	38
PID 1376 wrote to memory of 268	1376	tmp.exe	39
PID 1376 wrote to memory of 268	1376	tmp.exe	39
PID 1376 wrote to memory of 268	1376	tmp.exe	39
PID 1376 wrote to memory of 1648	1376	tmp.exe	40
PID 1376 wrote to memory of 1648	1376	tmp.exe	40
PID 1376 wrote to memory of 1648	1376	tmp.exe	40
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1376 wrote to memory of 1496	1376	tmp.exe	41
PID 1496 wrote to memory of 1712	1496	Setup.exe	42
PID 1496 wrote to memory of 1712	1496	Setup.exe	42
PID 1496 wrote to memory of 1712	1496	Setup.exe	42
PID 1496 wrote to memory of 1712	1496	Setup.exe	42

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 304
    3⤵
    - Program crash
    PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-54-0x00000000000B0000-0x000000000017E000-memory.dmp

Filesize
824KB

Download
memory/1376-55-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/1376-56-0x000000001ACC0000-0x000000001AD76000-memory.dmp

Filesize
728KB

Download
memory/1496-57-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download