19f5a1432457383a9f992ee9b9ebf5e719b3709dc630146a083843a582d6996f

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:37

Target

FACTRA09876545689000.exe
Size

473KB
MD5

1853308b40b353d110ecbd0c0e09b24a
SHA1

3b6f5aceb5d114178304588493eed2281718f358
SHA256

19f5a1432457383a9f992ee9b9ebf5e719b3709dc630146a083843a582d6996f
SHA512

f053ed9f68b5fd55f57e4cccf40271109c89e282fa67dc4a195a0c89b9d79198431ed785fbbb35450775feaa37235a288e3b28dfaa39f64611cb0fd8523c7b89
SSDEEP

12288:gkSMfMGuMFex9HNHfMGuMFex6R1SNjRZxF:jSMEGMSGMlNjR

Score

7^/10

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2664 2448 WerFault.exe FACTRA09876545689000.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

2080 Powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 2080 Powershell.exe

pid	pid_target	process	target process
2664	2448	WerFault.exe	FACTRA09876545689000.exe

pid	process
2080	Powershell.exe

description	pid	process
Token: SeDebugPrivilege	2080	Powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

FACTRA09876545689000.exe

description	pid	process	target process
PID 2448 wrote to memory of 2080	2448	FACTRA09876545689000.exe	Powershell.exe
PID 2448 wrote to memory of 2080	2448	FACTRA09876545689000.exe	Powershell.exe
PID 2448 wrote to memory of 2080	2448	FACTRA09876545689000.exe	Powershell.exe
PID 2448 wrote to memory of 2080	2448	FACTRA09876545689000.exe	Powershell.exe
PID 2448 wrote to memory of 2660	2448	FACTRA09876545689000.exe	FACTRA09876545689000.exe
PID 2448 wrote to memory of 2660	2448	FACTRA09876545689000.exe	FACTRA09876545689000.exe
PID 2448 wrote to memory of 2660	2448	FACTRA09876545689000.exe	FACTRA09876545689000.exe
PID 2448 wrote to memory of 2660	2448	FACTRA09876545689000.exe	FACTRA09876545689000.exe
PID 2448 wrote to memory of 2664	2448	FACTRA09876545689000.exe	WerFault.exe
PID 2448 wrote to memory of 2664	2448	FACTRA09876545689000.exe	WerFault.exe
PID 2448 wrote to memory of 2664	2448	FACTRA09876545689000.exe	WerFault.exe
PID 2448 wrote to memory of 2664	2448	FACTRA09876545689000.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTRA09876545689000.exe"
2⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 608
2⤵
- Program crash
PID:2664

memory/2080-5-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/2080-6-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/2080-7-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2080-8-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2080-9-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2080-12-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/2448-0-0x00000000012E0000-0x000000000135C000-memory.dmp

Filesize
496KB

Download
memory/2448-1-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-2-0x0000000000AE0000-0x0000000000B52000-memory.dmp

Filesize
456KB

Download
memory/2448-10-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2448-13-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download