11f6e26ef8a05340910ed5c91ead0071bac77bbb6a99cbeaa8d576b33b4dd061

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 07:56

Target

REVISED DOCUMENTS.exe
Size

51KB
MD5

ba53bdd60b0b6efa84cdfb0cf7c85752
SHA1

809d7cb8a546a5ca8efbddd17deb97abf2d9e1a2
SHA256

11f6e26ef8a05340910ed5c91ead0071bac77bbb6a99cbeaa8d576b33b4dd061
SHA512

e7928ff2c4d1919c00ed80aac40c97980147194ea56ca787965d5d061190a36832abe3f68169b37b0f0a6c52ba9a71a3bf5d439781202ea3ec841c8a800de4d2
SSDEEP

768:tuPeg4Pl6FVd73Fxc0a7gJkPdGMRqIjNDk+KYhaK+LhtvirD+9BvPdD7Ypn:qqa5KgmzRqIj5nKsanLHqnYXdKn

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	REVISED DOCUMENTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1304	1260	REVISED DOCUMENTS.exe	28
PID 1260 wrote to memory of 1304	1260	REVISED DOCUMENTS.exe	28
PID 1260 wrote to memory of 1304	1260	REVISED DOCUMENTS.exe	28

C:\Users\Admin\AppData\Local\Temp\REVISED DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED DOCUMENTS.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1260 -s 1172
  2⤵
  PID:1304

memory/1260-0-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/1260-1-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1260-2-0x000000001B910000-0x000000001B990000-memory.dmp

Filesize
512KB

Download
memory/1260-3-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1260-4-0x000000001B910000-0x000000001B990000-memory.dmp

Filesize
512KB

Download