8f65ced3e5e6fa8adfa870b9a4943c97c2bcbf8c3a0686d52f9d6cb430a16ae2 | Triage

Analysis

max time kernel
21s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 22:53

Sharing

Report Analysis Logs

General

Target

svchost.exe
Size

29.0MB
MD5

d5f53409ee8125d248fce665965ea832
SHA1

ad4733ce7e62d5bb45fd555dcf20d3674872c648
SHA256

8f65ced3e5e6fa8adfa870b9a4943c97c2bcbf8c3a0686d52f9d6cb430a16ae2
SHA512

4c1297846a4b032b7feb0603b0343568ef855aec1e0381edbad589a7e9e7162c36005758f7dd35a2faf424e5687e3b47a49d91be84e90257ca890e7ed30009c8
SSDEEP

393216:Cl4LjezDn4qvfiI6ornbSrK6id9bNkU5FqT55FF+eRVYPv0IY5JLNWH:mQavfiirbBNiUv+9bRVYX0IY3Lm

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4352	svchost.exe
4352	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	4352	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4352	svchost.exe
4352	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4352 -s 756
  2⤵
  - Program crash
  PID:1480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4352 -ip 4352
1⤵
PID:4588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4352-133-0x00007FF98FAD0000-0x00007FF98FAD2000-memory.dmp

Filesize
8KB

Download
memory/4352-134-0x00007FF98FAE0000-0x00007FF98FAE2000-memory.dmp

Filesize
8KB

Download
memory/4352-135-0x00007FF71A020000-0x00007FF71E86A000-memory.dmp

Filesize
72.3MB

Download
memory/4352-143-0x0000024A91270000-0x0000024A91280000-memory.dmp

Filesize
64KB

Download