cb8932abc8615354c90558b8bc7eb63ae3dd607ce41cb70172c6f87564cb6ca6

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 20:29

Target

41d6b06dbab79f45bc71832c7c691c16.exe
Size

10KB
MD5

41d6b06dbab79f45bc71832c7c691c16
SHA1

6afc1420c3b8594e1d51b413a19683ec227932bb
SHA256

cb8932abc8615354c90558b8bc7eb63ae3dd607ce41cb70172c6f87564cb6ca6
SHA512

bc51aa60cee34da4ec91fc8c918cbe24415ab27720a5b7888209e7ce0511d873fb9c0229e73388c2681c22ced69754c75b5406e0df835882761c5fc0e90997b9
SSDEEP

192:iEVm3Vy7U2Bm7s4/CdqacfXr+ML71lz4+Q7KB1UzP1oy/3u:bmFy7+PXn7fk+Q7KB1U1V

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2420	update.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3016	1252	WerFault.exe	87

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 1252	2420	update.exe	87

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	update.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 2420	4632	41d6b06dbab79f45bc71832c7c691c16.exe	90
PID 4632 wrote to memory of 2420	4632	41d6b06dbab79f45bc71832c7c691c16.exe	90
PID 4632 wrote to memory of 2420	4632	41d6b06dbab79f45bc71832c7c691c16.exe	90
PID 2420 wrote to memory of 1252	2420	update.exe	87
PID 2420 wrote to memory of 1252	2420	update.exe	87
PID 2420 wrote to memory of 1252	2420	update.exe	87
PID 2420 wrote to memory of 1252	2420	update.exe	87
PID 2420 wrote to memory of 1252	2420	update.exe	87

C:\Users\Admin\AppData\Local\Temp\41d6b06dbab79f45bc71832c7c691c16.exe
"C:\Users\Admin\AppData\Local\Temp\41d6b06dbab79f45bc71832c7c691c16.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\ProgramData\update.exe
  C:\ProgramData\update.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 12
  2⤵
  - Program crash
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1252 -ip 1252
1⤵
PID:1268

C:\ProgramData\update.exe

Filesize
10KB

MD5
41d6b06dbab79f45bc71832c7c691c16

SHA1
6afc1420c3b8594e1d51b413a19683ec227932bb

SHA256
cb8932abc8615354c90558b8bc7eb63ae3dd607ce41cb70172c6f87564cb6ca6

SHA512
bc51aa60cee34da4ec91fc8c918cbe24415ab27720a5b7888209e7ce0511d873fb9c0229e73388c2681c22ced69754c75b5406e0df835882761c5fc0e90997b9

Download Submit
memory/4632-0-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download