7a245e07279488497a16ef86a6129b1bd8c72c18b37a2504bee743c528aab8da

General

Target

55a4729b40ed4f2aaccb3d59ddf80d95.exe
Size

151KB
MD5

55a4729b40ed4f2aaccb3d59ddf80d95
SHA1

c5cc028d488b4a348091528f3089d04dac432eaf
SHA256

7a245e07279488497a16ef86a6129b1bd8c72c18b37a2504bee743c528aab8da
SHA512

5e1afba9ccac1be8941e8e1204a1ccf5bf75f8d95b8574c13a11f0a628af7ec795be9bd2f1930b071f17016cc5af35e90e7f491c1c8e2505c4a3cb76670109cd

Score

8^/10

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

Processes:

55a4729b40ed4f2aaccb3d59ddf80d95.exeelcna.execgdbx.exe

description	ioc	process
File created	C:\Windows\Tasks\elcna.job	55a4729b40ed4f2aaccb3d59ddf80d95.exe
File opened for modification	C:\Windows\Tasks\elcna.job	55a4729b40ed4f2aaccb3d59ddf80d95.exe
File created	C:\Windows\Tasks\navvearngctbievrkgx.job	elcna.exe
File created	C:\Windows\Tasks\ivxm.job	cgdbx.exe
File opened for modification	C:\Windows\Tasks\ivxm.job	cgdbx.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3824	3588	WerFault.exe	55a4729b40ed4f2aaccb3d59ddf80d95.exe
2260	412	WerFault.exe	elcna.exe
2060	412	WerFault.exe	elcna.exe
3728	3588	WerFault.exe	55a4729b40ed4f2aaccb3d59ddf80d95.exe
804	3588	WerFault.exe	55a4729b40ed4f2aaccb3d59ddf80d95.exe
616	412	WerFault.exe	elcna.exe
1208	412	WerFault.exe	elcna.exe
1888	3208	WerFault.exe	cgdbx.exe
3560	412	WerFault.exe	elcna.exe
2824	3992	WerFault.exe	ivxm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3824	WerFault.exe
Token: SeBackupPrivilege	3824	WerFault.exe
Token: SeDebugPrivilege	3824	WerFault.exe
Token: SeDebugPrivilege	2260	WerFault.exe
Token: SeDebugPrivilege	2060	WerFault.exe
Token: SeDebugPrivilege	3728	WerFault.exe
Token: SeDebugPrivilege	804	WerFault.exe
Token: SeDebugPrivilege	616	WerFault.exe
Token: SeDebugPrivilege	1208	WerFault.exe
Token: SeDebugPrivilege	3560	WerFault.exe
Token: SeDebugPrivilege	1888	WerFault.exe
Token: SeDebugPrivilege	2824	WerFault.exe

Suspicious behavior: EnumeratesProcesses 134 IoCs

Processes:

WerFault.exe55a4729b40ed4f2aaccb3d59ddf80d95.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3588	55a4729b40ed4f2aaccb3d59ddf80d95.exe
3588	55a4729b40ed4f2aaccb3d59ddf80d95.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
3728	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe
804	WerFault.exe

Executes dropped EXE 3 IoCs

Processes:

elcna.execgdbx.exeivxm.exe

pid process

412 elcna.exe
3208 cgdbx.exe
3992 ivxm.exe

pid	process
412	elcna.exe
3208	cgdbx.exe
3992	ivxm.exe

C:\Users\Admin\AppData\Local\Temp\55a4729b40ed4f2aaccb3d59ddf80d95.exe
"C:\Users\Admin\AppData\Local\Temp\55a4729b40ed4f2aaccb3d59ddf80d95.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 544
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 856
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 868
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\ProgramData\pqjgc\elcna.exe
C:\ProgramData\pqjgc\elcna.exe start
1⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 536
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 716
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 724
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 688
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 932
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\TEMP\cgdbx.exe
C:\Windows\TEMP\cgdbx.exe
1⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 536
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\ProgramData\iwup\ivxm.exe
C:\ProgramData\iwup\ivxm.exe start
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 540
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB413.tmp.WERInternalMetadata.xml

Download Submit
C:\ProgramData\iwup\ivxm.exe

Download Submit
C:\ProgramData\iwup\ivxm.exe

Download Submit
C:\ProgramData\pqjgc\elcna.exe

Download Submit
C:\ProgramData\pqjgc\elcna.exe

Download Submit
C:\Windows\TEMP\cgdbx.exe

Download Submit
C:\Windows\Tasks\elcna.job

Download Submit
C:\Windows\Temp\cgdbx.exe

Download Submit
memory/412-54-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/412-55-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/412-53-0x000000000343C000-0x000000000343D000-memory.dmp

Filesize
4KB

Download
memory/616-84-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

Filesize
4KB

Download
memory/616-81-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/804-77-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/804-80-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1208-88-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/1208-85-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1888-95-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/1888-100-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2060-63-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/2260-56-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/2260-60-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/2260-59-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2824-107-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2824-110-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/3208-91-0x000000000363C000-0x000000000363D000-memory.dmp

Filesize
4KB

Download
memory/3208-92-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/3560-94-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3560-101-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/3588-1-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3588-76-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3588-0-0x0000000003361000-0x0000000003362000-memory.dmp

Filesize
4KB

Download
memory/3588-75-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3728-71-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/3728-74-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/3824-6-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/3824-2-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3824-3-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3992-105-0x000000000344C000-0x000000000344D000-memory.dmp

Filesize
4KB

Download
memory/3992-106-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads