3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6

Resubmissions

14-11-2023 13:20

14-11-2023 13:15

max time kernel
1561s
max time network
1563s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 13:20

Target

1.exe
Size

668KB
MD5

1eda484bf740bdf87173a46271d8dd1a
SHA1

813dcaf2c989519707b140a7382b5e5c633c392f
SHA256

3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6
SHA512

8f6585a57e4ef6dc330ff95232357973a1586ef632eff0a4af0e77d55e0c9deab40f2082dd4b760a20bbbb1ea4230e0fd5a970c9060bef277f479b88f9df52cc
SSDEEP

12288:Ki8qEisUH/9r7ECv6pfryKLnURZIRqWcev1UXF4UgiA8LX5ckq:eqEWlr78pzyrZIAVZ3Kk

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2720	2020	1.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2476	2720	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2640	2020	1.exe	30
PID 2020 wrote to memory of 2640	2020	1.exe	30
PID 2020 wrote to memory of 2640	2020	1.exe	30
PID 2020 wrote to memory of 2640	2020	1.exe	30
PID 2020 wrote to memory of 2720	2020	1.exe	31
PID 2020 wrote to memory of 2720	2020	1.exe	31
PID 2020 wrote to memory of 2720	2020	1.exe	31
PID 2020 wrote to memory of 2720	2020	1.exe	31
PID 2020 wrote to memory of 2720	2020	1.exe	31
PID 2020 wrote to memory of 2720	2020	1.exe	31
PID 2020 wrote to memory of 2720	2020	1.exe	31
PID 2720 wrote to memory of 2476	2720	1.exe	32
PID 2720 wrote to memory of 2476	2720	1.exe	32
PID 2720 wrote to memory of 2476	2720	1.exe	32
PID 2720 wrote to memory of 2476	2720	1.exe	32

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 36
    3⤵
    - Program crash
    PID:2476

memory/2020-6-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2020-1-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2020-2-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2020-3-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2020-4-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2020-5-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2020-0-0x0000000001390000-0x000000000143A000-memory.dmp

Filesize
680KB

Download
memory/2020-7-0x00000000056D0000-0x000000000574A000-memory.dmp

Filesize
488KB

Download
memory/2020-14-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2720-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2720-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download