fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9 | Triage

Analysis

max time kernel
887s
max time network
894s
platform
windows7_x64
resource
win7v200430
submitted
07-07-2020 22:26

Sharing

Report Analysis Logs

General

Target

fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe
Size

248KB
MD5

6649224ccdf35b911f93e536b0e69a8d
SHA1

eeafb2352f799ca894b2e9636fb6f73d28fab7d6
SHA256

fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9
SHA512

e5ec78ac6301b1bbda0016601d135f42f2a351e4a047531248be6fec023c28a79621596ded4a3a03dab0863b58d0bbb27d92b6ce911628c64e60ba5176ec264a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1020 240 WerFault.exe fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe

description	pid	process	target process
PID 240 wrote to memory of 1020	240	fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe	WerFault.exe
PID 240 wrote to memory of 1020	240	fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe	WerFault.exe
PID 240 wrote to memory of 1020	240	fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1020 WerFault.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1020 WerFault.exe
1020 WerFault.exe
1020 WerFault.exe
1020 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1020 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe
"C:\Users\Admin\AppData\Local\Temp\fe3d61acbcbd89998d1f92ff6417aa3254dd7ed493007e1c530efd5482ca1ec9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 240 -s 96
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-0-0x0000000000000000-mapping.dmp

Download
memory/1020-1-0x0000000001E90000-0x0000000001EA1000-memory.dmp

Filesize
68KB

Download
memory/1020-2-0x00000000027F0000-0x0000000002801000-memory.dmp

Filesize
68KB

Download