de823b703cefdd77b5acbe06b19e8d0f844d0930f9c3609237d1fbd15a73c9cc

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28-07-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4fd2f6ea8eb477d5a35414f7c196719.exe
Size

533KB
MD5

b4fd2f6ea8eb477d5a35414f7c196719
SHA1

061cad3050117c5956b4b701e5f6e396aa696067
SHA256

de823b703cefdd77b5acbe06b19e8d0f844d0930f9c3609237d1fbd15a73c9cc
SHA512

1745b469d67cd7f89c2496728ebfeecb6a32dae01549d0918027b30ddf325cc9eec11d671cfe6931ddf9b73af80f92262856b1a55bf8b01d2c22e5e7163da500
SSDEEP

12288:uVIjEbiFS+LbnoBnQqmi8feE0H/7v6r13BnbNxk+4ivuqY4J4:uVIjEWFS+LbKQq9dJORRAcbY+4

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1084	2432	WerFault.exe	38

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe
2424	b4fd2f6ea8eb477d5a35414f7c196719.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2240	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	30
PID 2424 wrote to memory of 2240	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	30
PID 2424 wrote to memory of 2240	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	30
PID 2424 wrote to memory of 2524	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	31
PID 2424 wrote to memory of 2524	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	31
PID 2424 wrote to memory of 2524	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	31
PID 2424 wrote to memory of 2168	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	32
PID 2424 wrote to memory of 2168	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	32
PID 2424 wrote to memory of 2168	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	32
PID 2424 wrote to memory of 2512	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	33
PID 2424 wrote to memory of 2512	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	33
PID 2424 wrote to memory of 2512	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	33
PID 2424 wrote to memory of 2332	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	34
PID 2424 wrote to memory of 2332	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	34
PID 2424 wrote to memory of 2332	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	34
PID 2424 wrote to memory of 2364	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	35
PID 2424 wrote to memory of 2364	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	35
PID 2424 wrote to memory of 2364	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	35
PID 2424 wrote to memory of 2508	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	36
PID 2424 wrote to memory of 2508	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	36
PID 2424 wrote to memory of 2508	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	36
PID 2424 wrote to memory of 2464	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	37
PID 2424 wrote to memory of 2464	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	37
PID 2424 wrote to memory of 2464	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	37
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2424 wrote to memory of 2432	2424	b4fd2f6ea8eb477d5a35414f7c196719.exe	38
PID 2432 wrote to memory of 1084	2432	Setup.exe	39
PID 2432 wrote to memory of 1084	2432	Setup.exe	39
PID 2432 wrote to memory of 1084	2432	Setup.exe	39
PID 2432 wrote to memory of 1084	2432	Setup.exe	39

C:\Users\Admin\AppData\Local\Temp\b4fd2f6ea8eb477d5a35414f7c196719.exe
"C:\Users\Admin\AppData\Local\Temp\b4fd2f6ea8eb477d5a35414f7c196719.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 304
    3⤵
    - Program crash
    PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2424-54-0x000007FEF62F0000-0x000007FEF6CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-55-0x0000000000E60000-0x0000000000EEA000-memory.dmp

Filesize
552KB

Download
memory/2424-56-0x000007FEF62F0000-0x000007FEF6CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-57-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2424-59-0x000000001ADD0000-0x000000001AE52000-memory.dmp

Filesize
520KB

Download
memory/2424-62-0x000007FEF62F0000-0x000007FEF6CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download