8a7604f32b15636ef4962ade0c127493ff172992d1621b0a65bf429d2cab9d4d

Analysis

max time kernel
300s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 16:26

Target

gwergewr.exe
Size

4.2MB
MD5

b043f96d8a14f0cc8f9a326af4bdc2da
SHA1

1d2f4ee5a62ebbda4f6acbcc2949fb5e6ae3275b
SHA256

8a7604f32b15636ef4962ade0c127493ff172992d1621b0a65bf429d2cab9d4d
SHA512

d4fa666e212628fb25e7debff6e2afc0f80b8b52841af9070cc307f4d3682e8c6f1811ccadcdeeebc50465ce166667d53aae52e67f1453d0c8db0342ed62e2d4
SSDEEP

98304:ZK8zTOvhT8UEgIP0rw4XiwpuBbNHXxE6ZgQAM/d5kJrD6CBkJHK0S:wcTOpQIIqDUBBH7mQlFK/6Ky7S

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1836	gwergewr.exe
1836	gwergewr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1896	AUDIODG.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4020	1836	gwergewr.exe	87
PID 1836 wrote to memory of 4020	1836	gwergewr.exe	87
PID 1836 wrote to memory of 4832	1836	gwergewr.exe	88
PID 1836 wrote to memory of 4832	1836	gwergewr.exe	88
PID 4832 wrote to memory of 4348	4832	cmd.exe	89
PID 4832 wrote to memory of 4348	4832	cmd.exe	89
PID 4832 wrote to memory of 3216	4832	cmd.exe	90
PID 4832 wrote to memory of 3216	4832	cmd.exe	90
PID 4832 wrote to memory of 1804	4832	cmd.exe	91
PID 4832 wrote to memory of 1804	4832	cmd.exe	91
PID 1836 wrote to memory of 3856	1836	gwergewr.exe	95
PID 1836 wrote to memory of 3856	1836	gwergewr.exe	95
PID 1836 wrote to memory of 4360	1836	gwergewr.exe	97
PID 1836 wrote to memory of 4360	1836	gwergewr.exe	97
PID 1836 wrote to memory of 3876	1836	gwergewr.exe	99
PID 1836 wrote to memory of 3876	1836	gwergewr.exe	99
PID 1836 wrote to memory of 1684	1836	gwergewr.exe	100
PID 1836 wrote to memory of 1684	1836	gwergewr.exe	100
PID 1836 wrote to memory of 3212	1836	gwergewr.exe	101
PID 1836 wrote to memory of 3212	1836	gwergewr.exe	101

C:\Users\Admin\AppData\Local\Temp\gwergewr.exe
"C:\Users\Admin\AppData\Local\Temp\gwergewr.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\gwergewr.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\gwergewr.exe" MD5
    3⤵
    PID:4348
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3216
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

memory/1836-7-0x00007FF67DBE0000-0x00007FF67E40F000-memory.dmp

Filesize
8.2MB

Download
memory/1836-3-0x00007FF67DBE0000-0x00007FF67E40F000-memory.dmp

Filesize
8.2MB

Download
memory/1836-2-0x00007FF9BC6C0000-0x00007FF9BC6C2000-memory.dmp

Filesize
8KB

Download
memory/1836-8-0x00007FF67DBE0000-0x00007FF67E40F000-memory.dmp

Filesize
8.2MB

Download
memory/1836-1-0x00007FF9BC6B0000-0x00007FF9BC6B2000-memory.dmp

Filesize
8KB

Download
memory/1836-0-0x00007FF67DC85000-0x00007FF67DFDA000-memory.dmp

Filesize
3.3MB

Download
memory/1836-9-0x00007FF67DC85000-0x00007FF67DFDA000-memory.dmp

Filesize
3.3MB

Download
memory/1836-10-0x00007FF67DBE0000-0x00007FF67E40F000-memory.dmp

Filesize
8.2MB

Download