a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 11:22

Target

AteraAgent.exe
Size

142KB
MD5

477293f80461713d51a98a24023d45e8
SHA1

e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256

a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA512

23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
SSDEEP

3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	AteraAgent.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3004	1368	AteraAgent.exe	28
PID 1368 wrote to memory of 3004	1368	AteraAgent.exe	28
PID 1368 wrote to memory of 3004	1368	AteraAgent.exe	28

C:\Users\Admin\AppData\Local\Temp\AteraAgent.exe
"C:\Users\Admin\AppData\Local\Temp\AteraAgent.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1368 -s 596
  2⤵
  PID:3004

memory/1368-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/1368-1-0x0000000001040000-0x0000000001068000-memory.dmp

Filesize
160KB

Download
memory/1368-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1368-3-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/1368-4-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download