2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1

Analysis

max time kernel
111s
max time network
120s
platform
windows7_x64
resource
win7
submitted
17/07/2020, 00:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe
Size

701KB
MD5

5b71d24c0e55eb1acf9828187fc08b7b
SHA1

1fa2c5c7b30cbe37373207ab195fc967b2e4c66f
SHA256

2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1
SHA512

9deef664040a3feb37759b1dbc33ad66b212dcf7c7ddc1b9e13c6c09b94f85ad81bb4600d9a51e92520c4a6ae1d2e65181039de5c437661b6f80a1db866cfb9c

Score

6^/10

persistence

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
316	900	WerFault.exe	23

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 316	900	2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe	24
PID 900 wrote to memory of 316	900	2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe	24
PID 900 wrote to memory of 316	900	2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe	24
PID 900 wrote to memory of 316	900	2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe	24

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\WdvEl = "C:\\AVGLFESB\\WdvEls\\WdvElscUU.vbs"	2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe

C:\Users\Admin\AppData\Local\Temp\2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe
"C:\Users\Admin\AppData\Local\Temp\2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
PID:900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 7360
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-1-0x00000000021C0000-0x00000000021D1000-memory.dmp

Filesize
68KB

Download
memory/316-2-0x0000000002590000-0x00000000025A1000-memory.dmp

Filesize
68KB

Download