cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511

General

Target

cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
Size

681KB
MD5

7e55f8a4dca5fe9ed6757a91b9ec4bdf
SHA1

c22c87d35b9ca63cc348a24e29c4e69f12ecdb27
SHA256

cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511
SHA512

e8e5784df5ee64fb475a30fd8fd4b40cd2d01efb8bab43aa51d846065c5f8a3ff98988d622d2931e60f9dbc3099710c13e25f81caed5c83d30675124fdd3c332

Score

3^/10

Malware Config

Signatures

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3136	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
2880	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
3676	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
2972	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
3952	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
2884	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
3580	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
2376	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
3044	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
1872	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
2960	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
1656	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
3956	980	WerFault.exe	cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe

Suspicious behavior: EnumeratesProcesses 188 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
3676	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3136	WerFault.exe
Token: SeBackupPrivilege	3136	WerFault.exe
Token: SeDebugPrivilege	3136	WerFault.exe
Token: SeDebugPrivilege	2880	WerFault.exe
Token: SeDebugPrivilege	3676	WerFault.exe
Token: SeDebugPrivilege	2972	WerFault.exe
Token: SeDebugPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	2884	WerFault.exe
Token: SeDebugPrivilege	3580	WerFault.exe
Token: SeDebugPrivilege	2376	WerFault.exe
Token: SeDebugPrivilege	3044	WerFault.exe
Token: SeDebugPrivilege	1872	WerFault.exe
Token: SeDebugPrivilege	2960	WerFault.exe
Token: SeDebugPrivilege	1656	WerFault.exe
Token: SeDebugPrivilege	3956	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe
"C:\Users\Admin\AppData\Local\Temp\cebd48d8e9131c2de3e41c0eb028bf8cd8ce92de9df01443d1d24c217645b511.exe"
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 784
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 932
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1080
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1060
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1092
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1120
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1208
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1432
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1460
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1620
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1576
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1664
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1336
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-0-0x0000000000CC4000-0x0000000000CC5000-memory.dmp

Filesize
4KB

Download
memory/980-1-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1656-167-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1656-164-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/1872-159-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1872-154-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2376-145-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/2376-148-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2880-6-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/2880-9-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2884-75-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/2884-78-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/2960-160-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/2960-163-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2972-67-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2972-70-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3044-153-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/3044-149-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3044-152-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3136-3-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/3136-5-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/3136-2-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/3580-83-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3580-87-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3676-14-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/3676-10-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/3952-74-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3952-71-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3956-168-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3956-171-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads