18ff5c6d7aed24f4bfe05429a1e37df23de7a4e096e2667bf387b9ed392a5121

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2023, 04:34

Target

103746e75cc79da6379bc879dd58b17a.exe
Size

443KB
MD5

103746e75cc79da6379bc879dd58b17a
SHA1

555ce45d76c0149d46832609e2f96c24b4ea28fb
SHA256

18ff5c6d7aed24f4bfe05429a1e37df23de7a4e096e2667bf387b9ed392a5121
SHA512

f5d4c391d7925797d5ac720c9a5bd1aa9e98fa0ab162246a34ae445c58e9c5c4e4b271fdf5cb3b4d7ee8eba812a8a43c65c0481d569fad2051638afe686f4594
SSDEEP

3072:5Jva8TO6HM4cRRk0fn3zpOuF7+Qr7skOY6Z1ueyqUTiDd+vvYLgsfF8bYThAK2AG:yLXntt1RK1ueJUeU0QYTCGDpWxdCrzW

Score

6^/10

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	werfault.exe

C:\Users\Admin\AppData\Local\Temp\103746e75cc79da6379bc879dd58b17a.exe
"C:\Users\Admin\AppData\Local\Temp\103746e75cc79da6379bc879dd58b17a.exe"
1⤵
PID:4536
- C:\Windows\System32\werfault.exe
  \??\C:\Windows\System32\werfault.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4388

memory/4388-134-0x0000023A0CCB0000-0x0000023A0CCC4000-memory.dmp

Filesize
80KB

Download
memory/4388-135-0x00007FF850250000-0x00007FF850D11000-memory.dmp

Filesize
10.8MB

Download
memory/4388-136-0x0000023A27280000-0x0000023A27290000-memory.dmp

Filesize
64KB

Download
memory/4388-137-0x0000023A27280000-0x0000023A27290000-memory.dmp

Filesize
64KB

Download
memory/4388-139-0x00007FF850250000-0x00007FF850D11000-memory.dmp

Filesize
10.8MB

Download
memory/4388-140-0x0000023A27280000-0x0000023A27290000-memory.dmp

Filesize
64KB

Download
memory/4536-133-0x00007FF86DBD0000-0x00007FF86DDC5000-memory.dmp

Filesize
2.0MB

Download