664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2

Resubmissions

20-04-2023 08:22

27-03-2023 09:38

max time kernel
141s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-04-2023 08:22

Target

GetPass.exe
Size

178KB
MD5

2e17ac792a4ae32ff5c9d751ab3a77e3
SHA1

d18d952b24110b83abd17e042f9deee679de6a1a
SHA256

e9cffb4773da2d46282aeafc6680e7aed8ff8537040a2a27d3c1ee3e3229d88e
SHA512

30144f1ad0b0967f29dc4628ef50485fff201234041fa4aba8fc55521ca10aa3b16f391c5c7332267438235985d9e703b6155c59b1c34f06dbb56ae0072899d9
SSDEEP

3072:EnPhSvw5JB9goXOO8Ua7o+NbUmW8NUCABqJ+iS5xqlIJPZrn1c2x45Y/32kls5xi:EnPhtfBLOn7vNbUmnWqJt4xqlIld1XxJ

Score

7^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral7/memory/1952-54-0x0000000000400000-0x00000000004A6000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
432	1952	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GetPass.exe

description	pid	Process
Token: SeDebugPrivilege	1952	GetPass.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

GetPass.exe

description	pid	Process	procid_target
PID 1952 wrote to memory of 432	1952	GetPass.exe	29
PID 1952 wrote to memory of 432	1952	GetPass.exe	29
PID 1952 wrote to memory of 432	1952	GetPass.exe	29
PID 1952 wrote to memory of 432	1952	GetPass.exe	29

C:\Users\Admin\AppData\Local\Temp\GetPass.exe
"C:\Users\Admin\AppData\Local\Temp\GetPass.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 164
  2⤵
  - Program crash
  PID:432

memory/1952-54-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download