f43dc24a6067339b69d032441ce7e2632e1770361dc33708de46cff9de25475b | Triage

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 21:12

Sharing

Report Analysis Logs

General

Target

a.exe
Size

359KB
MD5

f55698d82be20d245e141a8f7c19928e
SHA1

45c6a6475d7894b637cf9c74c9227b976db18f24
SHA256

f43dc24a6067339b69d032441ce7e2632e1770361dc33708de46cff9de25475b
SHA512

e95f681e2bc62ddc6fd98f5e429029e10571828a82814dfd819543ca475fe4d54d2e84cf3902a26052d97b13f0a3c88fcfa2df65b6c29223af0fd57aa34577c6
SSDEEP

6144:lQOZ6ys9QMtTHR0FNaXOyMDw+Nc8ntC+ygTRFqOA:l9Z/MtTHR0yXOyMMUfncE7G

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2380	2280	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2380	2280	a.exe	29
PID 2280 wrote to memory of 2380	2280	a.exe	29
PID 2280 wrote to memory of 2380	2280	a.exe	29

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2280 -s 1160
  2⤵
  - Program crash
  PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2280-54-0x0000000001210000-0x000000000126E000-memory.dmp

Filesize
376KB

Download
memory/2280-55-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download