Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 23:00
Static task
static1
Behavioral task
behavioral1
Sample
b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe
-
Size
487KB
-
MD5
0a2025cfbd9c9fae89bb0163ec1fc8eb
-
SHA1
8b9d5262b31d8d0008765681a6e386597ce1b2e9
-
SHA256
b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c
-
SHA512
7da2c4b7fdf12aef53bd4c8c6603530d84a7b5dde1f6d2ccbc8fa2a6da6d6e1aed405f3084a3933956c173720ead3b5278c6ff7791be7c06e13e660c0989b711
Malware Config
Signatures
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2412 648 WerFault.exe b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe 3768 648 WerFault.exe b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe 504 648 WerFault.exe b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe 200 648 WerFault.exe b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe 1404 648 WerFault.exe b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe 2724 648 WerFault.exe b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe -
Suspicious behavior: EnumeratesProcesses 84 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 200 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2412 WerFault.exe Token: SeBackupPrivilege 2412 WerFault.exe Token: SeDebugPrivilege 2412 WerFault.exe Token: SeDebugPrivilege 3768 WerFault.exe Token: SeDebugPrivilege 504 WerFault.exe Token: SeDebugPrivilege 200 WerFault.exe Token: SeDebugPrivilege 1404 WerFault.exe Token: SeDebugPrivilege 2724 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe"C:\Users\Admin\AppData\Local\Temp\b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 7402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 8122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 8922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 8522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 11882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 12722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/200-17-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/200-14-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/504-13-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/504-10-0x0000000004610000-0x0000000004611000-memory.dmpFilesize
4KB
-
memory/648-1-0x00000000012C0000-0x00000000012C1000-memory.dmpFilesize
4KB
-
memory/648-0-0x0000000000E1F000-0x0000000000E20000-memory.dmpFilesize
4KB
-
memory/1404-21-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/1404-18-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/2412-3-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/2412-5-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2412-2-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/2724-22-0x0000000004610000-0x0000000004611000-memory.dmpFilesize
4KB
-
memory/2724-25-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/3768-9-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/3768-6-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB