Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows7_x64 -
resource
win7 -
submitted
25-10-2020 19:01
Static task
static1
Behavioral task
behavioral1
Sample
958bcd0dcb4a1fe6d5a35016b45f336e.exe
Resource
win7
0 signatures
0 seconds
General
-
Target
958bcd0dcb4a1fe6d5a35016b45f336e.exe
-
Size
859KB
-
MD5
958bcd0dcb4a1fe6d5a35016b45f336e
-
SHA1
870683671b188887bce2dd3ae2234ff7540000b0
-
SHA256
f52f1869bfde156b6c22b36561d473f58273ea5c49a7403db8670c5a59f696d8
-
SHA512
45bfd9ff786e69226f0568122de76f40a250e1419b8cf1ab0e23c171bba2dce8f9d6f79aa181f20474c5d068099ce93d7f23007395a56c599d1d7be4efb3c168
Score
6/10
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1688 1900 WerFault.exe 958bcd0dcb4a1fe6d5a35016b45f336e.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1688 WerFault.exe 1688 WerFault.exe 1688 WerFault.exe 1688 WerFault.exe 1688 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
958bcd0dcb4a1fe6d5a35016b45f336e.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1900 958bcd0dcb4a1fe6d5a35016b45f336e.exe Token: SeDebugPrivilege 1688 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
958bcd0dcb4a1fe6d5a35016b45f336e.exedescription pid process target process PID 1900 wrote to memory of 1688 1900 958bcd0dcb4a1fe6d5a35016b45f336e.exe WerFault.exe PID 1900 wrote to memory of 1688 1900 958bcd0dcb4a1fe6d5a35016b45f336e.exe WerFault.exe PID 1900 wrote to memory of 1688 1900 958bcd0dcb4a1fe6d5a35016b45f336e.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\958bcd0dcb4a1fe6d5a35016b45f336e.exe"C:\Users\Admin\AppData\Local\Temp\958bcd0dcb4a1fe6d5a35016b45f336e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1900 -s 17322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-3-0x0000000000000000-mapping.dmp
-
memory/1688-4-0x0000000001D30000-0x0000000001D41000-memory.dmpFilesize
68KB
-
memory/1688-7-0x0000000002A90000-0x0000000002AA1000-memory.dmpFilesize
68KB
-
memory/1900-0-0x000007FEF63E0000-0x000007FEF6DCC000-memory.dmpFilesize
9.9MB
-
memory/1900-1-0x0000000001220000-0x0000000001221000-memory.dmpFilesize
4KB