78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 05:21

Target

78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe
Size

2.0MB
MD5

61cf39117e2d4c4e65a86645cecd2974
SHA1

a80dbc9f985c1f0938dc1281180b976f26aebb58
SHA256

78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351
SHA512

dbf18b60bfea0e7d5ffc5593b91f89ab5c83110e0df0db6540628d1cd120cac4395d3305c5cd0ae4e3cb27c4fb0635cf1b2e3aea606b3edcee8ca4fe54481533
SSDEEP

24576:EBxcqhG/e37rZ83+zdToZJoAOM08/85RkptVIJqNsqjnhMgeiCl7G0nehbGZpbD:0gi7tbYOMjUfkptVxxDmg27RnWGj

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
2756	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d1495912f1301b95.bin	alg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3028	78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2700	3028	78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe	31
PID 3028 wrote to memory of 2700	3028	78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe	31
PID 3028 wrote to memory of 2700	3028	78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe	31

C:\Users\Admin\AppData\Local\Temp\78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe
"C:\Users\Admin\AppData\Local\Temp\78f26c85166563818a5c19b9b3f7d16fcf193455065e6f0d22994e806628d351.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3028 -s 320
  2⤵
  PID:2700

\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e893d6099f8f62cb0f297b03ab23ba1f

SHA1
fd615f3399541821011d140ba2a86ced2105bce3

SHA256
83ab0c14c08cdb4c355a8dcf71f2abc0fef46bf457dda08a1486c8c56529ea6b

SHA512
b31003df1a4d503ef90502a1fb6282ebf85a97d106e8e7fe0bf21b02bd62c716d86d52cba2b9be7daebf3165931a23219bc17c7c0c06bb9955e146adedcd6ff1

Download Submit
memory/2756-23-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/2756-24-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2756-32-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/2756-36-0x0000000100000000-0x0000000100144000-memory.dmp

Filesize
1.3MB

Download
memory/3028-0-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3028-7-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/3028-1-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/3028-8-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/3028-35-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download