c416db4cda367c4e1f8d45bc3e308bcfde7e958bdd8029d92e31599e0d764dd1

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 18:02

Target

FanControl.zip
Size

6.3MB
MD5

542253310b141f47cd141665a3bb4324
SHA1

c07dd32580155be69278ee7526b08d547c61dd02
SHA256

c416db4cda367c4e1f8d45bc3e308bcfde7e958bdd8029d92e31599e0d764dd1
SHA512

0f7b7cde0980aed7f7f0780188a072326ce0885124e741f4f8d3a49ecd6e9b9cc2dabc77a21c04655e0019a9e72aacb45ca2b8ea2979bdd266838eff368ac686
SSDEEP

196608:XV0h0C9RGiXit6Al9gGsMlcXh/O+o+H2zo5kSI8VHkGm:XVIGiXiNgGsvhW+o+HMo5kSFkN

Score

7^/10

Executes dropped EXE 2 IoCs

Processes:

FanControl.exeFanControl.exe

pid process

2956 FanControl.exe
2132 FanControl.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7zFM.exe

pid process

2872 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2872 7zFM.exe

pid	process
2956	FanControl.exe
2132	FanControl.exe

pid	process
2872	7zFM.exe

pid	process
2872	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zFM.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	2872	7zFM.exe
Token: 35	2872	7zFM.exe
Token: SeSecurityPrivilege	2872	7zFM.exe
Token: SeSecurityPrivilege	2872	7zFM.exe
Token: 33	952	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	952	AUDIODG.EXE
Token: 33	952	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	952	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

2872 7zFM.exe
2872 7zFM.exe
2872 7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7zFM.exeFanControl.exeFanControl.exe

description	pid	process	target process
PID 2872 wrote to memory of 2956	2872	7zFM.exe	FanControl.exe
PID 2872 wrote to memory of 2956	2872	7zFM.exe	FanControl.exe
PID 2872 wrote to memory of 2956	2872	7zFM.exe	FanControl.exe
PID 2956 wrote to memory of 2832	2956	FanControl.exe	WerFault.exe
PID 2956 wrote to memory of 2832	2956	FanControl.exe	WerFault.exe
PID 2956 wrote to memory of 2832	2956	FanControl.exe	WerFault.exe
PID 2132 wrote to memory of 2180	2132	FanControl.exe	WerFault.exe
PID 2132 wrote to memory of 2180	2132	FanControl.exe	WerFault.exe
PID 2132 wrote to memory of 2180	2132	FanControl.exe	WerFault.exe

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\Downloads\FanControl.exe
"C:\Users\Admin\Downloads\FanControl.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2132 -s 652
  2⤵
  PID:2180

C:\Users\Admin\AppData\Local\Temp\7zO83B4A9C7\FanControl.exe

Filesize
1.3MB

MD5
9b94d3f94fae042147cbe5dc8009370f

SHA1
3116e6fa60f5cd0d580ff748d6ae0499e7534ff2

SHA256
6d99e5b8af7bd2312f7d3aa2e42514ceb40ed3203dfc669558e8d5d0879c724b

SHA512
1ee4b0a0d5a5eee964f20f875b6c0254086b4ac2925e47be64e943e4bff97be2b536ebb787dd9390160649ccda6a29f3134800901880458c407695186c5dab71

Download Submit
memory/2132-17-0x0000000001370000-0x00000000014D0000-memory.dmp

Filesize
1.4MB

Download
memory/2956-11-0x0000000000CB0000-0x0000000000E10000-memory.dmp

Filesize
1.4MB

Download