blackguard | c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

Resubmissions

20-10-2023 03:44

12-10-2023 14:31

max time kernel
41s
max time network
30s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20-10-2023 03:44

Target

0x000900000000e621-6.exe
Size

1.8MB
MD5

8bbaf95337912b8a1d36594e5bb2f5e6
SHA1

5db26a00543868b7f7bc88ec6597a17cf0dc71ae
SHA256

c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a
SHA512

3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620
SSDEEP

49152:RC6pCkV5+fDepJvZA0xY1aBJ4/xRmWr55h:RC6P70MJvZecQ/xEWrR

Score

10^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	0x000900000000e621-6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2696	1508	0x000900000000e621-6.exe	29
PID 1508 wrote to memory of 2696	1508	0x000900000000e621-6.exe	29
PID 1508 wrote to memory of 2696	1508	0x000900000000e621-6.exe	29

C:\Users\Admin\AppData\Local\Temp\0x000900000000e621-6.exe
"C:\Users\Admin\AppData\Local\Temp\0x000900000000e621-6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1508 -s 1252
  2⤵
  PID:2696

memory/1508-0-0x0000000000140000-0x000000000031C000-memory.dmp

Filesize
1.9MB

Download
memory/1508-1-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1508-2-0x0000000000610000-0x0000000000690000-memory.dmp

Filesize
512KB

Download
memory/1508-3-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1508-4-0x0000000000610000-0x0000000000690000-memory.dmp

Filesize
512KB

Download