Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 15:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
rDoc_87993766478.exe
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
rDoc_87993766478.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
rDoc_87993766478.exe
-
Size
146KB
-
MD5
ae7eef690ade68c8dae761255d6acd57
-
SHA1
992023ea4a92944411a7535d57b3fe7b63de19df
-
SHA256
5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed
-
SHA512
5b2ff4d3d2084dbf2e3772a59a94c50e3062e379546cd09b53ea215bcbe406c477a3388788f7fa75497fa34bcc68e8bae77bb4741a83fba200fead702d4db2cd
-
SSDEEP
3072:qaJMdf2tSt72hETdLEuC27WxlZFSN1E7UP5dbwX/XzvhPQ:qaJMdf2tS9zTdYuC27YZzYTUX/X1
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe 2200 rDoc_87993766478.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2200 rDoc_87993766478.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2964 2200 rDoc_87993766478.exe 30 PID 2200 wrote to memory of 2964 2200 rDoc_87993766478.exe 30 PID 2200 wrote to memory of 2964 2200 rDoc_87993766478.exe 30 PID 2200 wrote to memory of 2964 2200 rDoc_87993766478.exe 30 PID 2200 wrote to memory of 2700 2200 rDoc_87993766478.exe 31 PID 2200 wrote to memory of 2700 2200 rDoc_87993766478.exe 31 PID 2200 wrote to memory of 2700 2200 rDoc_87993766478.exe 31 PID 2200 wrote to memory of 2700 2200 rDoc_87993766478.exe 31 PID 2200 wrote to memory of 2364 2200 rDoc_87993766478.exe 32 PID 2200 wrote to memory of 2364 2200 rDoc_87993766478.exe 32 PID 2200 wrote to memory of 2364 2200 rDoc_87993766478.exe 32 PID 2200 wrote to memory of 2364 2200 rDoc_87993766478.exe 32 PID 2200 wrote to memory of 2652 2200 rDoc_87993766478.exe 33 PID 2200 wrote to memory of 2652 2200 rDoc_87993766478.exe 33 PID 2200 wrote to memory of 2652 2200 rDoc_87993766478.exe 33 PID 2200 wrote to memory of 2652 2200 rDoc_87993766478.exe 33 PID 2200 wrote to memory of 2672 2200 rDoc_87993766478.exe 34 PID 2200 wrote to memory of 2672 2200 rDoc_87993766478.exe 34 PID 2200 wrote to memory of 2672 2200 rDoc_87993766478.exe 34 PID 2200 wrote to memory of 2672 2200 rDoc_87993766478.exe 34 PID 2200 wrote to memory of 2800 2200 rDoc_87993766478.exe 35 PID 2200 wrote to memory of 2800 2200 rDoc_87993766478.exe 35 PID 2200 wrote to memory of 2800 2200 rDoc_87993766478.exe 35 PID 2200 wrote to memory of 2800 2200 rDoc_87993766478.exe 35 PID 2200 wrote to memory of 2776 2200 rDoc_87993766478.exe 36 PID 2200 wrote to memory of 2776 2200 rDoc_87993766478.exe 36 PID 2200 wrote to memory of 2776 2200 rDoc_87993766478.exe 36 PID 2200 wrote to memory of 2776 2200 rDoc_87993766478.exe 36 PID 2200 wrote to memory of 2784 2200 rDoc_87993766478.exe 37 PID 2200 wrote to memory of 2784 2200 rDoc_87993766478.exe 37 PID 2200 wrote to memory of 2784 2200 rDoc_87993766478.exe 37 PID 2200 wrote to memory of 2784 2200 rDoc_87993766478.exe 37 PID 2200 wrote to memory of 2772 2200 rDoc_87993766478.exe 38 PID 2200 wrote to memory of 2772 2200 rDoc_87993766478.exe 38 PID 2200 wrote to memory of 2772 2200 rDoc_87993766478.exe 38 PID 2200 wrote to memory of 2772 2200 rDoc_87993766478.exe 38 PID 2200 wrote to memory of 2004 2200 rDoc_87993766478.exe 39 PID 2200 wrote to memory of 2004 2200 rDoc_87993766478.exe 39 PID 2200 wrote to memory of 2004 2200 rDoc_87993766478.exe 39 PID 2200 wrote to memory of 2004 2200 rDoc_87993766478.exe 39 PID 2200 wrote to memory of 2824 2200 rDoc_87993766478.exe 40 PID 2200 wrote to memory of 2824 2200 rDoc_87993766478.exe 40 PID 2200 wrote to memory of 2824 2200 rDoc_87993766478.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\rDoc_87993766478.exe"C:\Users\Admin\AppData\Local\Temp\rDoc_87993766478.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2004
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2200 -s 14322⤵PID:2824
-