679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-05-2023 12:01

Target

MavrodiBlack 2.exe
Size

592KB
MD5

a5f8768a97c74ecc4c26c402f2bcef11
SHA1

d234ce957544025614d49e1e18f3bac6352ca994
SHA256

679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c
SHA512

e425b6d9f19de18465af3ea438a9ec3ee9f0ca30608146f3094fa28960a841f5d3a9a2a13655c2123d93f5bcab79e57a37b10d7201ffddd8b8991c3f0eae6009
SSDEEP

6144:jS6d7abcho/OiptVSaPCpikafd5Y9k1WeR7LSxDxpaG6WiX22QbjMrgXScKl+mH1:W6dvhop3zlEyLeKXo8r2Kl+4mW/QKU6

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

Processes:

MavrodiBlack 2.exe

description pid process target process

PID 1704 set thread context of 1688 1704 MavrodiBlack 2.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1164 1688 WerFault.exe AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1688 AppLaunch.exe

description	pid	process	target process
PID 1704 set thread context of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe

pid	pid_target	process	target process
1164	1688	WerFault.exe	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1688	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

MavrodiBlack 2.exeAppLaunch.exe

description	pid	process	target process
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1704 wrote to memory of 1688	1704	MavrodiBlack 2.exe	AppLaunch.exe
PID 1688 wrote to memory of 1164	1688	AppLaunch.exe	WerFault.exe
PID 1688 wrote to memory of 1164	1688	AppLaunch.exe	WerFault.exe
PID 1688 wrote to memory of 1164	1688	AppLaunch.exe	WerFault.exe
PID 1688 wrote to memory of 1164	1688	AppLaunch.exe	WerFault.exe
PID 1688 wrote to memory of 1164	1688	AppLaunch.exe	WerFault.exe
PID 1688 wrote to memory of 1164	1688	AppLaunch.exe	WerFault.exe
PID 1688 wrote to memory of 1164	1688	AppLaunch.exe	WerFault.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1108
3⤵
- Program crash
PID:1164

memory/1688-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1688-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1688-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-62-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1688-63-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1688-64-0x0000000000330000-0x000000000034A000-memory.dmp

Filesize
104KB

Download
memory/1688-65-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/1688-66-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download