bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:32

Target

bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe
Size

1.1MB
MD5

c9ebd15d274183485c36bf5f08624bc5
SHA1

33130d5d3c1d8414fc2ec1773ac9d49cc8e0a589
SHA256

bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0
SHA512

ee3a0436d6548cb3c79e4b7bfd0e4c62011002adec2c8a0c1302c39f78f45ebf0ff24646058c8da6ffafb40269caab2c52b81f091cb588ff57b46a9a14dcf4bc
SSDEEP

24576:uxR3RFMeR1Ei1iQiYWLg77R0uSF+5JwXgb1081v3iYYKLJxNk:O7R1Eui2Z77R0JF+bmgb1+cxC

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
2680	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2036	2040	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2040	bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2036	2040	bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe	28
PID 2040 wrote to memory of 2036	2040	bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe	28
PID 2040 wrote to memory of 2036	2040	bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe	28
PID 2040 wrote to memory of 2036	2040	bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe	28

C:\Users\Admin\AppData\Local\Temp\bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe
"C:\Users\Admin\AppData\Local\Temp\bb737032137078185195465cdfe7c9d864d5af6105952112a04359f02b286aa0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 360
  2⤵
  - Program crash
  PID:2036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2680

\Windows\System32\alg.exe

Filesize
644KB

MD5
190ae049cc1667eab04ded3b85ed84ff

SHA1
332d0cac36a4ab4e2065780170d3d1b500e595c9

SHA256
6ef9f92b38ad7efd99fa1f485302e9f93fa93948a27bf6a55985dc6192131e42

SHA512
a295b5446f01581a514a07ece7526bf8544989594408af40d012b96b4e4c7ecbc086b99b4c380d86401576caa92846936c8cbe31e22c5ec851a787846f2ff441

Download Submit
memory/2040-0-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2040-1-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2040-7-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2040-15-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2680-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2680-16-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download