812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09 | Triage

Resubmissions

29-11-2020 11:01

201129-d4be3v1hha 10

29-11-2020 09:57

201129-jrbzljg4bn 10

22-11-2020 09:12

201122-mn1g1mmfh2 10

20-11-2020 12:13

201120-mhdv9tfvhs 10

Analysis

max time kernel
181s
max time network
180s
platform
windows7_x64
resource
win7v20201028
submitted
29-11-2020 11:01

Sharing

Report Analysis Logs

General

Target

812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe
Size

226KB
MD5

2c6261543b4afdc73780193769c4b971
SHA1

ce578cfd43137888d4be4c2d3d39e9a0d70cc22d
SHA256

812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09
SHA512

5619c2418d292bc490225b9661975939a767f5c464a30f6c85746b13e06fef56ba15eb730645a571885e6423bcaea337c3b0f0ebfd45edd9643b2fb4c47eda8d

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1624 wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe

description	pid	process	target process
PID 1824 wrote to memory of 1624	1824	812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe	wermgr.exe
PID 1824 wrote to memory of 1624	1824	812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe	wermgr.exe
PID 1824 wrote to memory of 1624	1824	812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe	wermgr.exe
PID 1824 wrote to memory of 1624	1824	812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe	wermgr.exe
PID 1824 wrote to memory of 1624	1824	812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe	wermgr.exe
PID 1824 wrote to memory of 1624	1824	812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe
"C:\Users\Admin\AppData\Local\Temp\812fca175f63a63380cc09b822399dc99cf2f0e9248003ed76cfb26033828f09.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-2-0x0000000000000000-mapping.dmp

Download