de981a6b78142d6b66f7f62605b1110a441d395ea1c475a6cc823d3ea3af916a

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/12/2023, 04:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
Size

954KB
MD5

eea5a59ef6ef5fb0b97e7b90cb861c76
SHA1

150445df55b90c9ba96c8eae2b05eecd3c4bf257
SHA256

06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca
SHA512

b08a2cc43416c3ad88d63fdaab264777106530a690d0a11a81d2224952c5e2d62128ac9507cccccb6df4ac8cce4dd11bfd53bd3a9daa0a480c2a6fb66fdca413
SSDEEP

12288:TGXDY6t60JcOY+nsEQnu6HCjSsZWvi6p/BZuqFBYmcCMSN8GlJGsJcdyUSHR7wC7:6zo0Nsdal8vigOSNzg2coUsR7Nkyt

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2172	2692	WerFault.exe	34

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
2692	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2684	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	30
PID 2056 wrote to memory of 2684	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	30
PID 2056 wrote to memory of 2684	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	30
PID 2056 wrote to memory of 2684	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	30
PID 2056 wrote to memory of 2824	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	31
PID 2056 wrote to memory of 2824	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	31
PID 2056 wrote to memory of 2824	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	31
PID 2056 wrote to memory of 2824	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	31
PID 2056 wrote to memory of 2796	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	32
PID 2056 wrote to memory of 2796	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	32
PID 2056 wrote to memory of 2796	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	32
PID 2056 wrote to memory of 2796	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	32
PID 2056 wrote to memory of 2740	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	33
PID 2056 wrote to memory of 2740	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	33
PID 2056 wrote to memory of 2740	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	33
PID 2056 wrote to memory of 2740	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	33
PID 2056 wrote to memory of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34
PID 2056 wrote to memory of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34
PID 2056 wrote to memory of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34
PID 2056 wrote to memory of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34
PID 2056 wrote to memory of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34
PID 2056 wrote to memory of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34
PID 2056 wrote to memory of 2692	2056	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	34
PID 2692 wrote to memory of 2172	2692	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	35
PID 2692 wrote to memory of 2172	2692	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	35
PID 2692 wrote to memory of 2172	2692	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	35
PID 2692 wrote to memory of 2172	2692	06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe	35

C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
"C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
  "C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe"
  2⤵
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
  "C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe"
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
  "C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe"
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
  "C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe"
  2⤵
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe
  "C:\Users\Admin\AppData\Local\Temp\06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 36
    3⤵
    - Program crash
    PID:2172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-6-0x0000000005E30000-0x0000000005EB8000-memory.dmp

Filesize
544KB

Download
memory/2056-14-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2056-3-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/2056-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2056-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2056-1-0x00000000001D0000-0x00000000002C4000-memory.dmp

Filesize
976KB

Download
memory/2056-15-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-0-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-16-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/2692-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download