2194f49d4b349e23456b323abfc7167bf5927453590abd43cbdaca1dda9bcd68

Analysis

max time kernel
406s
max time network
410s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
19-03-2023 14:14

Target

Git2/sdfsdfs.exe
Size

214KB
MD5

8882daf740d94819afcce024bce34a37
SHA1

4bdb80e664638201f393a49e5577886683d54662
SHA256

a5ea48e864640a9562da03abdd54cfa617a4699cec0238299bdda5ccb28cfe8d
SHA512

6ba0c7863713c4334ce511ee7ea7460ea6dacdb243008fae1556a3db7740e6ae53f30e03309f3cc3bf0394328f470a880bf8ed31ee7552ef47dd3823a6ef4c97
SSDEEP

6144:O6nLK128LbhLJuLZePizkHQ3EqdYmkRMUx:DLK12gJuLZ0iIHqfG

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 1660	864	sdfsdfs.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
320	864	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1660	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	AppLaunch.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 1660	864	sdfsdfs.exe	29
PID 864 wrote to memory of 320	864	sdfsdfs.exe	30
PID 864 wrote to memory of 320	864	sdfsdfs.exe	30
PID 864 wrote to memory of 320	864	sdfsdfs.exe	30
PID 864 wrote to memory of 320	864	sdfsdfs.exe	30

C:\Users\Admin\AppData\Local\Temp\Git2\sdfsdfs.exe
"C:\Users\Admin\AppData\Local\Temp\Git2\sdfsdfs.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 144
  2⤵
  - Program crash
  PID:320

memory/1660-54-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1660-55-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1660-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1660-61-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1660-62-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1660-63-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download