f307cd4cb26d2d851ca55e9ab039656247ffd3b01b89ad0dcd32adf8e689724b | Triage

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:28

Sharing

Report Analysis Logs

General

Target

1d0000.MSBuild.exe
Size

151KB
MD5

41cf033d05ae0e2c5238a7932cf2dc77
SHA1

df885092f397a0a70f26b98c5abb35253d2cb06c
SHA256

f307cd4cb26d2d851ca55e9ab039656247ffd3b01b89ad0dcd32adf8e689724b
SHA512

eb1a3d4fe54c01c5ed6eb58208fed72aaf628aa6df60f5711f0e8e119a68517d7bc4112c5387858803072b144510fbd7c74f5e44853d3aefa5685979f755ef48
SSDEEP

3072:FzFIwXIUVadV/NqI9tw5ojnsbkps3CUBB8owEKctGE:RXcV/55jnsbkps3CUBB81EK

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	1d0000.MSBuild.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2508	2060	1d0000.MSBuild.exe	30
PID 2060 wrote to memory of 2508	2060	1d0000.MSBuild.exe	30
PID 2060 wrote to memory of 2508	2060	1d0000.MSBuild.exe	30

C:\Users\Admin\AppData\Local\Temp\1d0000.MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\1d0000.MSBuild.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2060 -s 1060
  2⤵
  PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2060-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x0000000000E00000-0x0000000000E2C000-memory.dmp

Filesize
176KB

Download
memory/2060-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2060-3-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download