f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8

General

Target

f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
Size

690KB
MD5

93f9c868d2d08f2b913579c04cdb06de
SHA1

dbf05c7711c020fef077ae8f72e4a5727ebb3a26
SHA256

f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8
SHA512

73d998218f1b76e163089e593dfc665a2453a26a6b03bdc77068cca34f523f4c6db39de505ec472dc47564a0dcb245e9662686cc254f8baa91b8b3a9af8c2149

Score

3^/10

Malware Config

Signatures

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3432	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
3688	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
420	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
3256	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
3336	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
1764	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
3244	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
4300	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
2016	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
1424	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
4452	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
1760	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
2148	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
2456	4644	WerFault.exe	f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe

Suspicious behavior: EnumeratesProcesses 202 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3432	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
3688	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3256	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3432	WerFault.exe
Token: SeBackupPrivilege	3432	WerFault.exe
Token: SeDebugPrivilege	3432	WerFault.exe
Token: SeDebugPrivilege	3688	WerFault.exe
Token: SeDebugPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	3256	WerFault.exe
Token: SeDebugPrivilege	3336	WerFault.exe
Token: SeDebugPrivilege	1764	WerFault.exe
Token: SeDebugPrivilege	3244	WerFault.exe
Token: SeDebugPrivilege	4300	WerFault.exe
Token: SeDebugPrivilege	2016	WerFault.exe
Token: SeDebugPrivilege	1424	WerFault.exe
Token: SeDebugPrivilege	4452	WerFault.exe
Token: SeDebugPrivilege	1760	WerFault.exe
Token: SeDebugPrivilege	2148	WerFault.exe
Token: SeDebugPrivilege	2456	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe
"C:\Users\Admin\AppData\Local\Temp\f787da827692a663c8c3736490a0ace0984679661f9bcac5dc4721f3063fe6c8.exe"
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 824
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1000
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1120
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1104
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1132
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1204
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1420
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1492
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1376
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1484
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1284
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1632
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1660
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-10-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/420-13-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1424-108-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/1424-105-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1760-116-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/1760-113-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1764-22-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1764-25-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2016-38-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2016-34-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2148-117-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/2148-120-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/2456-121-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2456-124-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/3244-29-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3244-26-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/3256-14-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/3256-17-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3336-18-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/3432-3-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3432-5-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3432-2-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3688-6-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/3688-9-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4300-30-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/4300-33-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/4452-112-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/4452-109-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4644-1-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/4644-0-0x0000000000DD6000-0x0000000000DD7000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads