d851df3f793d5b1e0e292fb201710f8ed5af2622747f8689eee42567c16c99c1

Analysis

max time kernel
142s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 08:02

Target

12e6970bd5f3d35748d0221c41b009b4.exe
Size

18KB
MD5

12e6970bd5f3d35748d0221c41b009b4
SHA1

3cbfb3c3c6a50262db7494c27015d296c499e6f2
SHA256

d851df3f793d5b1e0e292fb201710f8ed5af2622747f8689eee42567c16c99c1
SHA512

4791f523a1a683a27c3cd89a104890ab00c581d7e63e4b2b257efcf48f72491579539e82e511bbef8e404951af54ef9496370f8760c68341a66dd216e3844099
SSDEEP

384:iwitDixReG0xWien6zFgKzND07xDfxIuuE8Zv9DW3yzC:Nm+Rpye6zWKzNDfuuEcQe

Score

7^/10

upx

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2608-0-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2608-1-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2608-2-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2608-3-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral2/memory/2608-4-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1244	2608	WerFault.exe	89
2444	2608	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	12e6970bd5f3d35748d0221c41b009b4.exe
Token: SeLoadDriverPrivilege	2608	12e6970bd5f3d35748d0221c41b009b4.exe
Token: SeBackupPrivilege	2608	12e6970bd5f3d35748d0221c41b009b4.exe
Token: SeRestorePrivilege	2608	12e6970bd5f3d35748d0221c41b009b4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 1244	2608	12e6970bd5f3d35748d0221c41b009b4.exe	97
PID 2608 wrote to memory of 1244	2608	12e6970bd5f3d35748d0221c41b009b4.exe	97
PID 2608 wrote to memory of 1244	2608	12e6970bd5f3d35748d0221c41b009b4.exe	97

C:\Users\Admin\AppData\Local\Temp\12e6970bd5f3d35748d0221c41b009b4.exe
"C:\Users\Admin\AppData\Local\Temp\12e6970bd5f3d35748d0221c41b009b4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 312
  2⤵
  - Program crash
  PID:1244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 312
  2⤵
  - Program crash
  PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2608 -ip 2608
1⤵
PID:1676

memory/2608-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2608-1-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2608-2-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2608-3-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2608-4-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download