Overview

overview

7

Static

static

17cd806ef5...43.exe

windows7_x64

7

17cd806ef5...43.exe

windows10_x64

3

Analysis

  • max time kernel
    67s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-11-2020 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17cd806ef5f500c8fdd0a2f18cbff5ec713f5701d3c713d02409f2d0f2207a43.exe

  • Size

    598KB

  • MD5

    9100bc30a19d9d5ae2249d3fd804d086

  • SHA1

    c5be3f0e73738dbeb9663fb178b2c5b8a03dff5b

  • SHA256

    17cd806ef5f500c8fdd0a2f18cbff5ec713f5701d3c713d02409f2d0f2207a43

  • SHA512

    c89e2104101d16f12596da8d0f0d43418bd6283d01a255b8278f00aeafdfc6eea653761b999ec024ad77a9e2968d5b1c41f0b3c857b49bc9179f961c6568604d

Score
3/10

Malware Config

Signatures

  • Program crash 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 213 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17cd806ef5f500c8fdd0a2f18cbff5ec713f5701d3c713d02409f2d0f2207a43.exe
    "C:\Users\Admin\AppData\Local\Temp\17cd806ef5f500c8fdd0a2f18cbff5ec713f5701d3c713d02409f2d0f2207a43.exe"
    1⤵
      PID:4752
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 816
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 932
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1076
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1052
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1088
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:576
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1084
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:836
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1208
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1416
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1620
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1380
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1380
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1680
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1720
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1392
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:3084

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/576-18-0x00000000042D0000-0x00000000042D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/576-21-0x0000000004900000-0x0000000004901000-memory.dmp
      Filesize

      4KB

      Download
    • memory/836-25-0x0000000004B10000-0x0000000004B11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/836-22-0x00000000044E0000-0x00000000044E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1128-29-0x0000000004E90000-0x0000000004E91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1128-26-0x0000000004960000-0x0000000004961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1336-33-0x00000000056F0000-0x00000000056F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1336-30-0x0000000004E40000-0x0000000004E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1580-37-0x0000000005840000-0x0000000005841000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1580-34-0x0000000005010000-0x0000000005011000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1916-38-0x0000000004420000-0x0000000004421000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1916-43-0x0000000004810000-0x0000000004811000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2296-44-0x00000000044E0000-0x00000000044E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2296-47-0x0000000004C10000-0x0000000004C11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2580-51-0x00000000048F0000-0x00000000048F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2580-54-0x0000000005020000-0x0000000005021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2980-58-0x0000000005320000-0x0000000005321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2980-55-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3084-59-0x00000000042D0000-0x00000000042D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3084-62-0x0000000004B00000-0x0000000004B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3104-17-0x00000000054A0000-0x00000000054A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3104-14-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3196-10-0x00000000046D0000-0x00000000046D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3196-13-0x0000000004B00000-0x0000000004B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3232-6-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3232-9-0x00000000055D0000-0x00000000055D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4232-2-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4232-3-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4232-5-0x00000000050D0000-0x00000000050D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4752-0-0x0000000000E84000-0x0000000000E85000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4752-1-0x0000000002BE0000-0x0000000002BE1000-memory.dmp
      Filesize

      4KB

      Download