d391ab8cbe5abb12553d2fbbfe2b6b6e7ed324ccb965a7982a5f1a1a2e8db6d2

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-09-2023 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254b59f42e31662e8f96e920f41fce17.exe
Size

562KB
MD5

254b59f42e31662e8f96e920f41fce17
SHA1

6fc8dad426bacbe61e3c45525b99b5e9d131abfa
SHA256

d391ab8cbe5abb12553d2fbbfe2b6b6e7ed324ccb965a7982a5f1a1a2e8db6d2
SHA512

65350c7fc7a810fdb418c13f621cb0a0d20a012337ef9269a6292de8bde364277a8a56873f9cb7deda94cbe21736ac79044344c80570594c10949ea7b8870f5a
SSDEEP

12288:U7/Rv/yjqjEZjb0uYZRU04qm77kteMJR4GHdVlksHgwixnYTm7PHh:gXSk4faZRJ277PMJ+GHHlVynYTg/h

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2344	WerFault.exe	35

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1672	254b59f42e31662e8f96e920f41fce17.exe
1672	254b59f42e31662e8f96e920f41fce17.exe
1672	254b59f42e31662e8f96e920f41fce17.exe
1672	254b59f42e31662e8f96e920f41fce17.exe
1672	254b59f42e31662e8f96e920f41fce17.exe
1672	254b59f42e31662e8f96e920f41fce17.exe
1672	254b59f42e31662e8f96e920f41fce17.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	254b59f42e31662e8f96e920f41fce17.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1584	1672	254b59f42e31662e8f96e920f41fce17.exe	28
PID 1672 wrote to memory of 1584	1672	254b59f42e31662e8f96e920f41fce17.exe	28
PID 1672 wrote to memory of 1584	1672	254b59f42e31662e8f96e920f41fce17.exe	28
PID 1672 wrote to memory of 1200	1672	254b59f42e31662e8f96e920f41fce17.exe	29
PID 1672 wrote to memory of 1200	1672	254b59f42e31662e8f96e920f41fce17.exe	29
PID 1672 wrote to memory of 1200	1672	254b59f42e31662e8f96e920f41fce17.exe	29
PID 1672 wrote to memory of 2912	1672	254b59f42e31662e8f96e920f41fce17.exe	30
PID 1672 wrote to memory of 2912	1672	254b59f42e31662e8f96e920f41fce17.exe	30
PID 1672 wrote to memory of 2912	1672	254b59f42e31662e8f96e920f41fce17.exe	30
PID 1672 wrote to memory of 2956	1672	254b59f42e31662e8f96e920f41fce17.exe	31
PID 1672 wrote to memory of 2956	1672	254b59f42e31662e8f96e920f41fce17.exe	31
PID 1672 wrote to memory of 2956	1672	254b59f42e31662e8f96e920f41fce17.exe	31
PID 1672 wrote to memory of 2308	1672	254b59f42e31662e8f96e920f41fce17.exe	32
PID 1672 wrote to memory of 2308	1672	254b59f42e31662e8f96e920f41fce17.exe	32
PID 1672 wrote to memory of 2308	1672	254b59f42e31662e8f96e920f41fce17.exe	32
PID 1672 wrote to memory of 1960	1672	254b59f42e31662e8f96e920f41fce17.exe	33
PID 1672 wrote to memory of 1960	1672	254b59f42e31662e8f96e920f41fce17.exe	33
PID 1672 wrote to memory of 1960	1672	254b59f42e31662e8f96e920f41fce17.exe	33
PID 1672 wrote to memory of 2256	1672	254b59f42e31662e8f96e920f41fce17.exe	34
PID 1672 wrote to memory of 2256	1672	254b59f42e31662e8f96e920f41fce17.exe	34
PID 1672 wrote to memory of 2256	1672	254b59f42e31662e8f96e920f41fce17.exe	34
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 1672 wrote to memory of 2344	1672	254b59f42e31662e8f96e920f41fce17.exe	35
PID 2344 wrote to memory of 2768	2344	Setup.exe	36
PID 2344 wrote to memory of 2768	2344	Setup.exe	36
PID 2344 wrote to memory of 2768	2344	Setup.exe	36
PID 2344 wrote to memory of 2768	2344	Setup.exe	36

C:\Users\Admin\AppData\Local\Temp\254b59f42e31662e8f96e920f41fce17.exe
"C:\Users\Admin\AppData\Local\Temp\254b59f42e31662e8f96e920f41fce17.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:1200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 304
    3⤵
    - Program crash
    PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-0-0x0000000000A10000-0x0000000000AA0000-memory.dmp

Filesize
576KB

Download
memory/1672-1-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-2-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1672-3-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/1672-4-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/1672-5-0x000000001AC00000-0x000000001AC88000-memory.dmp

Filesize
544KB

Download
memory/1672-7-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download