3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675

Analysis

max time kernel
134s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 20:49

Target

3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe
Size

31KB
MD5

5dbdb42fe9bbd3c1d820cdb3e89f578e
SHA1

28f2efe59cf3d355db90be70aa6d2e1547d8e7b0
SHA256

3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675
SHA512

ed3781c395fae7184a1b00f0605b32e8cc5f0452b993df455a0dd6088be47fefe6d35f0e202d47ef7aca0bfe43d255d6bcd34bca2c20f3ca6ed67556a8840574
SSDEEP

768:GT4wO+PkS0JAVnVibDdPNOLxdGvVkT/bmyf65rTv:aO+nVS4B3S5X

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2992	system32smass.exe
1016	system32smass.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1016 set thread context of 932	1016	system32smass.exe	85

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32smass.exe	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe
File opened for modification	C:\Windows\system32smass.exe	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3364	932	WerFault.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	736	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
932	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 2992	736	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	82
PID 736 wrote to memory of 2992	736	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	82
PID 736 wrote to memory of 2992	736	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	82
PID 736 wrote to memory of 2300	736	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	83
PID 736 wrote to memory of 2300	736	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	83
PID 736 wrote to memory of 2300	736	3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe	83
PID 1016 wrote to memory of 932	1016	system32smass.exe	85
PID 1016 wrote to memory of 932	1016	system32smass.exe	85
PID 1016 wrote to memory of 932	1016	system32smass.exe	85
PID 1016 wrote to memory of 932	1016	system32smass.exe	85
PID 1016 wrote to memory of 932	1016	system32smass.exe	85

C:\Users\Admin\AppData\Local\Temp\3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe
"C:\Users\Admin\AppData\Local\Temp\3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\system32smass.exe
  "C:\Windows\system32smass.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\3D50DE~1.EXE > nul
  2⤵
  PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 932 -ip 932
1⤵
PID:4848

C:\Windows\system32smass.exe

Filesize
31KB

MD5
5dbdb42fe9bbd3c1d820cdb3e89f578e

SHA1
28f2efe59cf3d355db90be70aa6d2e1547d8e7b0

SHA256
3d50def77cb8e4e01e4af9bb6cf08af8defe1eb760f955875b31236e92cce675

SHA512
ed3781c395fae7184a1b00f0605b32e8cc5f0452b993df455a0dd6088be47fefe6d35f0e202d47ef7aca0bfe43d255d6bcd34bca2c20f3ca6ed67556a8840574

Download Submit
memory/932-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download