410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 04:24

Target

410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe
Size

2.0MB
MD5

de26e16f53cc6d658f98f25f060fe2ea
SHA1

fd3341af9808f8cbec811dd89ecbe0bff9d81d91
SHA256

410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b
SHA512

ced5fedc3077d12309c033e483ea33c85433180d5c2d8cd78f1b3a1741e5aa22b70ab8f58a4dea17f0bb42a6254d72f280d6b8551ebe6648dce67e358eeee426
SSDEEP

24576:5BxcqhG/e37rZ83+zdToZJoAOM08/85RkptVIJq7n2yEBmprUoWC993bFs:JQi7tbYOMjUfkptVx72yEBSUoWs3bF

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
476	Process not Found
2152	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8804318938786e49.bin	alg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2148	410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2964	2148	410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe	31
PID 2148 wrote to memory of 2964	2148	410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe	31
PID 2148 wrote to memory of 2964	2148	410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe	31

C:\Users\Admin\AppData\Local\Temp\410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe
"C:\Users\Admin\AppData\Local\Temp\410c1f86ed225d467bfd2962b0a912b67d68759318220c3a743b5c1fce702f7b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2148 -s 228
  2⤵
  PID:2964

C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log

Filesize
2KB

MD5
493bcc8781a121231c9b53aff3238c93

SHA1
bda350b956ad66dc21daf273aec4ef72940a86c1

SHA256
35f331472234644e6765e957f0cacddf981f769792beef73338e6660e2e75832

SHA512
95b3c1b944081f1d622a00c4df66bc8fc3774dd910c86593515a6aa2235a2ccb0148fb0cc5b039e854eaaffd7b3c573c1f0f662a353c70e1a798c69f1ce81d06

Download Submit
\Windows\System32\alg.exe

Filesize
1.4MB

MD5
f2d1851586f49d5fccb814cd77c9dae2

SHA1
6eb9de4f58a1957d6d0d1402304e4bcef24e45c3

SHA256
908fcb8175bc331a9c97c58d6532d1f674c7862f828aba9c6438f6fcfdaab388

SHA512
84b54969c4a26768851ba8295047f4564b6c82504c0d44950bd06ffaadd8e6764ac6decc686125fbb13dae747966b9f52b298641857dfead59f9740867d3088d

Download Submit
memory/2148-0-0x0000000001BD0000-0x0000000001C30000-memory.dmp

Filesize
384KB

Download
memory/2148-6-0x0000000001BD0000-0x0000000001C30000-memory.dmp

Filesize
384KB

Download
memory/2148-18-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2148-33-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2152-31-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2152-30-0x0000000100000000-0x0000000100160000-memory.dmp

Filesize
1.4MB

Download
memory/2152-22-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2152-34-0x0000000100000000-0x0000000100160000-memory.dmp

Filesize
1.4MB

Download