cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 06:57

Target

cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe
Size

2.0MB
MD5

8071b979f383cc48597c18ecc1f8debc
SHA1

47ebc63c67190d6588e256de17dd6fd3f276a33e
SHA256

cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1
SHA512

234fcd76b9be254b670b5866a8232d2292b089ba8a5d02103a8b2dc6bb98381b64d68f8b038f981754610bf931166809e2b44d9d310b9e1f5c54ba8da3d52cf6
SSDEEP

24576:kBxcqhG/e37rZ83+zdToZJoAOM08/85RkptVIJqeatr0zAiX90z/F0jsFB3SQk:UQi7tbYOMjUfkptVxeaB0zj0yjoB2

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
476	Process not Found
2504	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\561db33738786e49.bin	alg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2976	cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2872	2976	cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe	31
PID 2976 wrote to memory of 2872	2976	cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe	31
PID 2976 wrote to memory of 2872	2976	cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe	31

C:\Users\Admin\AppData\Local\Temp\cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe
"C:\Users\Admin\AppData\Local\Temp\cfac54dd89e842cf546b0347f1943ad0eba0740273bf3e29d109ab1c6ba4ccf1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2976 -s 320
  2⤵
  PID:2872

C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
33109c0b1bb7cff25db25e8539710c03

SHA1
05db0a79b4e7b2010d4db5a20114b2a2bc910acf

SHA256
c37a8359768e55e785f42dc4d742de2368e656b61888fd6c43ab9f6552af2a26

SHA512
bbb06b2250a5749648ff2ef82a3e3bea05a2bf35fbc86658a79406eb674a14fec904229645123e8f746920b83f9a93ed20878e22951e74133a3e8f79398f5a7e

Download Submit
memory/2504-23-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2504-24-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2504-30-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2504-31-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2504-35-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2976-0-0x0000000001BE0000-0x0000000001C40000-memory.dmp

Filesize
384KB

Download
memory/2976-10-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2976-13-0x0000000001BE0000-0x0000000001C40000-memory.dmp

Filesize
384KB

Download
memory/2976-34-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download