fbac21bf5e516a65cbe371d422dc3edcc784af1a6ed87ba4485b775c156225ed

Analysis

max time kernel
404s
max time network
444s
platform
windows10-1703_x64
resource
win10-20230220-de
resource tags

arch:x64arch:x86image:win10-20230220-delocale:de-deos:windows10-1703-x64systemwindows
submitted
28/05/2023, 20:45

Target

GamboSpoofer.exe
Size

1.1MB
MD5

c83b14935761355e5f628cf004cc568b
SHA1

a465bca76408d47f6c2ef506c0c3dd24e6ea3746
SHA256

fbac21bf5e516a65cbe371d422dc3edcc784af1a6ed87ba4485b775c156225ed
SHA512

282e13838e84c9063d8e9281d4c31205b76fba516f8763814fd489d6c855538e0964f3a60f9b36739ef8fe34d93fc01648a3f904214a8832262a3f3eeb28d0d2
SSDEEP

6144:LKCp0ZwbXC4b11VOb11VQ9mKb11Vzb11V:ttbbVObbVgmKbbVzbbV

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	GamboSpoofer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 4636	3076	GamboSpoofer.exe	66
PID 3076 wrote to memory of 4636	3076	GamboSpoofer.exe	66
PID 3076 wrote to memory of 4636	3076	GamboSpoofer.exe	66

C:\Users\Admin\AppData\Local\Temp\GamboSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\GamboSpoofer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\arp.exe
  "C:\Windows\System32\arp.exe" -a
  2⤵
  PID:4636

memory/3076-116-0x0000000000DD0000-0x0000000000EEC000-memory.dmp

Filesize
1.1MB

Download
memory/3076-117-0x0000000005E40000-0x000000000633E000-memory.dmp

Filesize
5.0MB

Download
memory/3076-118-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/3076-119-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/3076-120-0x0000000006890000-0x00000000068D2000-memory.dmp

Filesize
264KB

Download
memory/3076-121-0x00000000069F0000-0x0000000006AF4000-memory.dmp

Filesize
1.0MB

Download