Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 00:58
Static task
static1
Behavioral task
behavioral1
Sample
bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe
-
Size
581KB
-
MD5
16bf61b209cfed043e348b8d28fabbaf
-
SHA1
6e8285f96f9056d9483b0e5770644a7d67e90364
-
SHA256
bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754
-
SHA512
80d19eb5931bfeac07cfe330d57bd2be5a123c3beae3524cfb732230fd6919bb94b72a99c49f6318493d985f66f9133e62135108a2fa59f7a118d77906f5c513
Score
6/10
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1592 240 WerFault.exe bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe 1592 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exeWerFault.exedescription pid process Token: SeDebugPrivilege 240 bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe Token: SeDebugPrivilege 1592 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exedescription pid process target process PID 240 wrote to memory of 1592 240 bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe WerFault.exe PID 240 wrote to memory of 1592 240 bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe WerFault.exe PID 240 wrote to memory of 1592 240 bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe"C:\Users\Admin\AppData\Local\Temp\bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 240 -s 17242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-0-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmpFilesize
9.9MB
-
memory/240-1-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/1592-3-0x0000000000000000-mapping.dmp
-
memory/1592-4-0x0000000001CF0000-0x0000000001D01000-memory.dmpFilesize
68KB
-
memory/1592-7-0x0000000002AD0000-0x0000000002AE1000-memory.dmpFilesize
68KB