5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
Size

146KB
MD5

ae7eef690ade68c8dae761255d6acd57
SHA1

992023ea4a92944411a7535d57b3fe7b63de19df
SHA256

5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed
SHA512

5b2ff4d3d2084dbf2e3772a59a94c50e3062e379546cd09b53ea215bcbe406c477a3388788f7fa75497fa34bcc68e8bae77bb4741a83fba200fead702d4db2cd
SSDEEP

3072:qaJMdf2tSt72hETdLEuC27WxlZFSN1E7UP5dbwX/XzvhPQ:qaJMdf2tS9zTdYuC27YZzYTUX/X1

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2928	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	30
PID 2720 wrote to memory of 2928	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	30
PID 2720 wrote to memory of 2928	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	30
PID 2720 wrote to memory of 2928	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	30
PID 2720 wrote to memory of 2896	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	31
PID 2720 wrote to memory of 2896	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	31
PID 2720 wrote to memory of 2896	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	31
PID 2720 wrote to memory of 2896	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	31
PID 2720 wrote to memory of 2908	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	32
PID 2720 wrote to memory of 2908	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	32
PID 2720 wrote to memory of 2908	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	32
PID 2720 wrote to memory of 2908	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	32
PID 2720 wrote to memory of 2952	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	33
PID 2720 wrote to memory of 2952	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	33
PID 2720 wrote to memory of 2952	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	33
PID 2720 wrote to memory of 2952	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	33
PID 2720 wrote to memory of 3060	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	34
PID 2720 wrote to memory of 3060	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	34
PID 2720 wrote to memory of 3060	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	34
PID 2720 wrote to memory of 3060	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	34
PID 2720 wrote to memory of 2732	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	35
PID 2720 wrote to memory of 2732	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	35
PID 2720 wrote to memory of 2732	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	35
PID 2720 wrote to memory of 2732	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	35
PID 2720 wrote to memory of 2932	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	36
PID 2720 wrote to memory of 2932	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	36
PID 2720 wrote to memory of 2932	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	36
PID 2720 wrote to memory of 2932	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	36
PID 2720 wrote to memory of 2652	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	37
PID 2720 wrote to memory of 2652	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	37
PID 2720 wrote to memory of 2652	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	37
PID 2720 wrote to memory of 2652	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	37
PID 2720 wrote to memory of 2644	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	38
PID 2720 wrote to memory of 2644	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	38
PID 2720 wrote to memory of 2644	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	38
PID 2720 wrote to memory of 2644	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	38
PID 2720 wrote to memory of 2416	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	39
PID 2720 wrote to memory of 2416	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	39
PID 2720 wrote to memory of 2416	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	39
PID 2720 wrote to memory of 2416	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	39
PID 2720 wrote to memory of 2640	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	40
PID 2720 wrote to memory of 2640	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	40
PID 2720 wrote to memory of 2640	2720	5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe	40

C:\Users\Admin\AppData\Local\Temp\5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe
"C:\Users\Admin\AppData\Local\Temp\5ff2447ce941617ea8dadb36c0c9337327fe5d8275dc6bedddc6f82d48c40aed.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2720 -s 1436
  2⤵
  PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2720-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x0000000000940000-0x000000000096A000-memory.dmp

Filesize
168KB

Download
memory/2720-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2720-4-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2720-5-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download