683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

General

Target

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Size

49KB
MD5

46bfd4f1d581d7c0121d2b19a005d3df
SHA1

5b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512

b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 648 set thread context of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
496	3188	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	496	WerFault.exe
Token: SeBackupPrivilege	496	WerFault.exe
Token: SeDebugPrivilege	496	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75
PID 648 wrote to memory of 3188	648	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	75

C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
"C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
  "C:\Users\Admin\AppData\Local\Temp\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 496
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-19-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-5-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-35-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-21-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-6-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-22-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-10-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-12-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-11-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-14-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-13-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-15-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-16-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-17-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-18-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-20-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-37-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-36-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-7-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-24-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-23-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-26-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-25-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-27-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-28-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-29-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-31-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-30-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-33-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-32-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/496-34-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3188-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3188-4-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3188-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing