Analysis
-
max time kernel
887s -
max time network
894s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 22:26
Static task
static1
Behavioral task
behavioral1
Sample
fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe
Resource
win7
Behavioral task
behavioral2
Sample
fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe
Resource
win7v200430
Behavioral task
behavioral3
Sample
fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe
Resource
win7
General
-
Target
fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe
-
Size
248KB
-
MD5
6649224ccdf35b911f93e536b0e69a8d
-
SHA1
eeafb2352f799ca894b2e9636fb6f73d28fab7d6
-
SHA256
fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9
-
SHA512
e5ec78ac6301b1bbda0016601d135f42f2a351e4a047531248be6fec023c28a79621596ded4a3a03dab0863b58d0bbb27d92b6ce911628c64e60ba5176ec264a
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1020 240 WerFault.exe fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exedescription pid process target process PID 240 wrote to memory of 1020 240 fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe WerFault.exe PID 240 wrote to memory of 1020 240 fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe WerFault.exe PID 240 wrote to memory of 1020 240 fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1020 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1020 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe"C:\Users\Admin\AppData\Local\Temp\fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 240 -s 962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1020