bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754

Analysis

Target

bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe
Size

581KB
MD5

16bf61b209cfed043e348b8d28fabbaf
SHA1

6e8285f96f9056d9483b0e5770644a7d67e90364
SHA256

bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754
SHA512

80d19eb5931bfeac07cfe330d57bd2be5a123c3beae3524cfb732230fd6919bb94b72a99c49f6318493d985f66f9133e62135108a2fa59f7a118d77906f5c513

Score

6^/10

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1592 240 WerFault.exe bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1592 WerFault.exe
1592 WerFault.exe
1592 WerFault.exe
1592 WerFault.exe
1592 WerFault.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

pid	pid_target	process	target process
1592	240	WerFault.exe	bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	240	bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe
Token: SeDebugPrivilege	1592	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe

description	pid	process	target process
PID 240 wrote to memory of 1592	240	bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe	WerFault.exe
PID 240 wrote to memory of 1592	240	bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe	WerFault.exe
PID 240 wrote to memory of 1592	240	bcd93c7eb4909c04cacc58386cf50aec172ffb8f5f7161bcde3a973007b2f754.exe	WerFault.exe

memory/240-0-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/240-1-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1592-3-0x0000000000000000-mapping.dmp

Download
memory/1592-4-0x0000000001CF0000-0x0000000001D01000-memory.dmp

Filesize
68KB

Download
memory/1592-7-0x0000000002AD0000-0x0000000002AE1000-memory.dmp

Filesize
68KB

Download