Overview
overview
7Static
static
3Bypass-Too...l2.exe
windows7-x64
7Bypass-Too...l2.exe
windows10-2004-x64
7Bypass-Too...02.exe
windows7-x64
3Bypass-Too...02.exe
windows10-2004-x64
3Bypass-Tools/U952.exe
windows7-x64
7Bypass-Tools/U952.exe
windows10-2004-x64
3Bypass-Too...p2.exe
windows7-x64
3Bypass-Too...p2.exe
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
Bypass-Tools/CGWebInstall2.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Bypass-Tools/CGWebInstall2.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Bypass-Tools/GPass-4.1.02.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Bypass-Tools/GPass-4.1.02.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Bypass-Tools/U952.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Bypass-Tools/U952.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Bypass-Tools/fg679p2.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Bypass-Tools/fg679p2.exe
Resource
win10v2004-20240611-en
General
-
Target
Bypass-Tools/GPass-4.1.02.exe
-
Size
1.5MB
-
MD5
7278e678da87ef182749106b2eae69f6
-
SHA1
e3512c10ab9d63733e01d21b613c28d387481718
-
SHA256
b237d98792921adb8638c37b0c688d96851f5e686edab3e83070985d47fc3b32
-
SHA512
2464772d7778af02051d480007c9dc23bd065ac99ba9e2c732546376d9ac2a8c850f6faf226165bb0719a768bf27e114796f303a7c260cb97cfd8675dcf2c7cf
-
SSDEEP
24576:7WktzDLe1+JviXVLCxbvKMcszr6vW2e+wL7V4bZgtWi6hmPftRUNYuEmB5:ltzG+UXVLCxbvKMcT0/LAZgtWint6NAo
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2992 2972 WerFault.exe GPass-4.1.02.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
GPass-4.1.02.exedescription pid process target process PID 2972 wrote to memory of 2992 2972 GPass-4.1.02.exe WerFault.exe PID 2972 wrote to memory of 2992 2972 GPass-4.1.02.exe WerFault.exe PID 2972 wrote to memory of 2992 2972 GPass-4.1.02.exe WerFault.exe PID 2972 wrote to memory of 2992 2972 GPass-4.1.02.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\GPass-4.1.02.exe"C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\GPass-4.1.02.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1322⤵
- Program crash