Analysis
-
max time kernel
146s -
max time network
26s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
29-05-2020 04:11
Static task
static1
Behavioral task
behavioral1
Sample
1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe
-
Size
335KB
-
MD5
5d3007f8299a676dd4e31157dd7fc731
-
SHA1
1f6ae0f347e101a1c4244177efc8ba7459630d7f
-
SHA256
72c019880ad2656f877ae76590ac447287c3ce5805e91097316fdc1e5b6645f2
-
SHA512
76a74ae3d0eb5a2471b89b42c58b6b6b05c5753f2a96e9980605cd6c74c747c9d3d613ed82e213ca6ff411c6d23a4be6e52aa9b5270e244ab4d16ef94ba7c2ec
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1696 1008 WerFault.exe 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1f6ae0f347e101a1c4244177efc8ba7459630d7f.exedescription pid process target process PID 1008 wrote to memory of 1696 1008 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe WerFault.exe PID 1008 wrote to memory of 1696 1008 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe WerFault.exe PID 1008 wrote to memory of 1696 1008 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe WerFault.exe PID 1008 wrote to memory of 1696 1008 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1696 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1f6ae0f347e101a1c4244177efc8ba7459630d7f.exeWerFault.exepid process 1008 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe 1696 WerFault.exe 1696 WerFault.exe 1696 WerFault.exe 1696 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe"C:\Users\Admin\AppData\Local\Temp\1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses