Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe
Resource
win10v2004-20240611-en
General
-
Target
a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe
-
Size
2.5MB
-
MD5
66f59c51e548362c3deb73e5d284b471
-
SHA1
fe2badaf7bdf59f9edd5e933c7d035b7ba6b646e
-
SHA256
a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184
-
SHA512
fe25c422285f1253902109ee76097cc8f5926a84cb3d1066bbc886134909c1ff1de32d222c0a759209eafcdb943faade3663dd110a854b3e990920d2e9adb64e
-
SSDEEP
49152:DbNBfg/evwCzzQlQbCvuKiTjvF55E2brCVNJT0zcT/nDzxILkS:y+CvuKir5E2br0v0
Malware Config
Signatures
-
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Trend Micro\Endpoint Basecamp\log\EndpointBasecamp.log a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe File created C:\Program Files (x86)\Trend Micro\Endpoint Basecamp\a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184_1718168020.dmp a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1960 1948 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1960 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 29 PID 1948 wrote to memory of 1960 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 29 PID 1948 wrote to memory of 1960 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 29 PID 1948 wrote to memory of 1960 1948 a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe"C:\Users\Admin\AppData\Local\Temp\a4dc89c484188141b7c627fc86ee967da3298f9b905762dce3d5acc03d021184.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 3362⤵
- Program crash
PID:1960
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51e771f11fe7c5a78197ce9540bfc6364
SHA19383f191a801ed50a9294230c09a9da6f2b6d588
SHA25693f843f89c49519707fe9d155e4d98a6acb9c2f66cb33362b924dfe4cfe67498
SHA51295cf6157f7deae221dccb9e20365c053188b48b0e2005a71bdb631e058d686c961f187e1dde86c8a8be052e25cfaf2c85060e199cc103c419d473422bffd7b6f