Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 15:16
Static task
static1
Behavioral task
behavioral1
Sample
13d84033f65345d8a87391ec0eb6b482.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
13d84033f65345d8a87391ec0eb6b482.exe
-
Size
28KB
-
MD5
13d84033f65345d8a87391ec0eb6b482
-
SHA1
b6354b17def07e0ead0f90a30b50c9090e720e5f
-
SHA256
099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18
-
SHA512
5093353181b2c6cb0ec0c421e7e5b87e3e222fd6fb5e250bed960ebad1a0041be4e7ba412067e1c6d4eba6e1248c59022eef87c281346c507aa0ae8990fe285f
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 276 364 WerFault.exe 13d84033f65345d8a87391ec0eb6b482.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1812 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 276 WerFault.exe 276 WerFault.exe 276 WerFault.exe 276 WerFault.exe 276 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
13d84033f65345d8a87391ec0eb6b482.exeWerFault.exedescription pid process Token: SeDebugPrivilege 364 13d84033f65345d8a87391ec0eb6b482.exe Token: SeDebugPrivilege 276 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
13d84033f65345d8a87391ec0eb6b482.exedescription pid process target process PID 364 wrote to memory of 1812 364 13d84033f65345d8a87391ec0eb6b482.exe timeout.exe PID 364 wrote to memory of 1812 364 13d84033f65345d8a87391ec0eb6b482.exe timeout.exe PID 364 wrote to memory of 1812 364 13d84033f65345d8a87391ec0eb6b482.exe timeout.exe PID 364 wrote to memory of 1812 364 13d84033f65345d8a87391ec0eb6b482.exe timeout.exe PID 364 wrote to memory of 276 364 13d84033f65345d8a87391ec0eb6b482.exe WerFault.exe PID 364 wrote to memory of 276 364 13d84033f65345d8a87391ec0eb6b482.exe WerFault.exe PID 364 wrote to memory of 276 364 13d84033f65345d8a87391ec0eb6b482.exe WerFault.exe PID 364 wrote to memory of 276 364 13d84033f65345d8a87391ec0eb6b482.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe"C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 52⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 9842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/276-4-0x0000000000000000-mapping.dmp
-
memory/276-5-0x0000000001D70000-0x0000000001D81000-memory.dmpFilesize
68KB
-
memory/276-6-0x00000000026E0000-0x00000000026F1000-memory.dmpFilesize
68KB
-
memory/364-0-0x0000000073F40000-0x000000007462E000-memory.dmpFilesize
6.9MB
-
memory/364-1-0x000000000FCE0000-0x000000000FCE1000-memory.dmpFilesize
4KB
-
memory/1812-3-0x0000000000000000-mapping.dmp