Analysis
-
max time kernel
51s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-11-2020 12:18
Static task
static1
Behavioral task
behavioral1
Sample
Mailflow Cracked/Mailflow.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Mailflow Cracked/Mailflow.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Mailflow Cracked/Mailflow.exe
-
Size
4.3MB
-
MD5
b515751ff6cbbd648d2b8a30ecca56e1
-
SHA1
5e967e855bb5c42ff8b10be7ef57e5431dc3fcf5
-
SHA256
e6ffafa751911d0a8d49844aaca114388aef42b0980b566636ea06bc2be8e07a
-
SHA512
19c9e754faf934e3c04ad6c97ceae030f82f41d193234ddea4c2ac347e12a4cd286ce4dfeb401de3886742b39dfc1c2c26b3f05ba6130a445829b82103263c25
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 268 1732 WerFault.exe Mailflow.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 268 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Mailflow.exepid process 1732 Mailflow.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Mailflow.exedescription pid process target process PID 1732 wrote to memory of 268 1732 Mailflow.exe WerFault.exe PID 1732 wrote to memory of 268 1732 Mailflow.exe WerFault.exe PID 1732 wrote to memory of 268 1732 Mailflow.exe WerFault.exe PID 1732 wrote to memory of 268 1732 Mailflow.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mailflow Cracked\Mailflow.exe"C:\Users\Admin\AppData\Local\Temp\Mailflow Cracked\Mailflow.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 9242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UninstallSet.vsdx1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-3-0x0000000000000000-mapping.dmp
-
memory/268-4-0x0000000001FC0000-0x0000000001FD1000-memory.dmpFilesize
68KB
-
memory/268-7-0x00000000028B0000-0x00000000028C1000-memory.dmpFilesize
68KB
-
memory/1732-0-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/1732-1-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB