3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282

Analysis

max time kernel
94s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
31-05-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
Size

2.2MB
MD5

e817cc929fbc651c5bdab9e8cca0d9d9
SHA1

4d73dc2afcde6a1dcf9417c0120252a2d8fd246f
SHA256

3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282
SHA512

a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f
SSDEEP

49152:Znv1H6cOicCqvWtLfr1/7IBSWCRBClm7gXKxfsvX7TXL:XHLhbQsV/7bRBClagXnv77

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

description	pid	process	target process
PID 3892 set thread context of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1528 4484 WerFault.exe 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

pid	pid_target	process	target process
1528	4484	WerFault.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

description	pid	process
Token: SeDebugPrivilege	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
Token: SeDebugPrivilege	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

description	pid	process	target process
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
PID 3892 wrote to memory of 4484	3892	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe	3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe

C:\Users\Admin\AppData\Local\Temp\3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
"C:\Users\Admin\AppData\Local\Temp\3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe
  "C:\Users\Admin\AppData\Local\Temp\3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282.exe"
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 304
    3⤵
    - Program crash
    PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4484 -ip 4484
1⤵
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/3892-1-0x0000000000060000-0x00000000002A0000-memory.dmp

Filesize
2.2MB

Download
memory/3892-3-0x0000000004E40000-0x000000000505C000-memory.dmp

Filesize
2.1MB

Download
memory/3892-2-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/3892-4-0x0000000006190000-0x00000000063AE000-memory.dmp

Filesize
2.1MB

Download
memory/3892-5-0x0000000006980000-0x0000000006F26000-memory.dmp

Filesize
5.6MB

Download
memory/3892-6-0x0000000006470000-0x0000000006502000-memory.dmp

Filesize
584KB

Download
memory/3892-8-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-17-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-13-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-36-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-34-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-32-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-30-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-48-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-70-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-69-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-66-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-64-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-54-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-52-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-50-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-46-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-62-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-60-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-58-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-56-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-44-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-39-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-40-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-28-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-26-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-24-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-42-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-22-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-20-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-18-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-10-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-14-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-7-0x0000000006190000-0x00000000063A8000-memory.dmp

Filesize
2.1MB

Download
memory/3892-4893-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/3892-4894-0x00000000066B0000-0x0000000006708000-memory.dmp

Filesize
352KB

Download
memory/3892-4895-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/3892-4896-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/3892-4897-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/3892-4898-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/3892-4899-0x0000000004D20000-0x0000000004D74000-memory.dmp

Filesize
336KB

Download
memory/3892-4909-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download