4c1baefb3e979faa7733ff1269d1909553eb583c9994c93e80207993ab05b414

General

Target

cheat_417615128.exe
Size

2.8MB
MD5

ad5b3a6c1f20e8e3fdd53ccd00ceac4e
SHA1

39983d7eb929e2ab3855bb0b6cf1fc9f644c2b1c
SHA256

e8d312cec2a96d167a27898fbc99d5edaaa8b34e805bb57904561eec1f55e618
SHA512

b46e751ed9db95fbeb966151bd84a6b5c1421d5e66ed291cf4a749cd9292a44968cfaeaa49502de5ca895e3fed8296d0fdc91dcbc05dfec6b19e418d3cf64b2b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

cheat_417615128.tmpFugiat.exe

pid process

3048 cheat_417615128.tmp
416 Fugiat.exe
Loads dropped DLL 1 IoCs

Processes:

Fugiat.exe

pid process

416 Fugiat.exe

pid	process
3048	cheat_417615128.tmp
416	Fugiat.exe

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3992	416	WerFault.exe	Fugiat.exe
1404	416	WerFault.exe	Fugiat.exe
2312	416	WerFault.exe	Fugiat.exe
1756	416	WerFault.exe	Fugiat.exe
2616	416	WerFault.exe	Fugiat.exe
3160	416	WerFault.exe	Fugiat.exe
1120	416	WerFault.exe	Fugiat.exe
2124	416	WerFault.exe	Fugiat.exe
4028	416	WerFault.exe	Fugiat.exe
3780	416	WerFault.exe	Fugiat.exe
2724	416	WerFault.exe	Fugiat.exe
2648	416	WerFault.exe	Fugiat.exe
2220	416	WerFault.exe	Fugiat.exe
2612	416	WerFault.exe	Fugiat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Fugiat.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
416	Fugiat.exe
416	Fugiat.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3992	WerFault.exe
Token: SeBackupPrivilege	3992	WerFault.exe
Token: SeDebugPrivilege	3992	WerFault.exe
Token: SeDebugPrivilege	1404	WerFault.exe
Token: SeDebugPrivilege	2312	WerFault.exe
Token: SeDebugPrivilege	1756	WerFault.exe
Token: SeDebugPrivilege	2616	WerFault.exe
Token: SeDebugPrivilege	3160	WerFault.exe
Token: SeDebugPrivilege	1120	WerFault.exe
Token: SeDebugPrivilege	2124	WerFault.exe
Token: SeDebugPrivilege	4028	WerFault.exe
Token: SeDebugPrivilege	3780	WerFault.exe
Token: SeDebugPrivilege	2724	WerFault.exe
Token: SeDebugPrivilege	2648	WerFault.exe
Token: SeDebugPrivilege	2220	WerFault.exe
Token: SeDebugPrivilege	2612	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cheat_417615128.execheat_417615128.tmp

description	pid	process	target process
PID 3812 wrote to memory of 3048	3812	cheat_417615128.exe	cheat_417615128.tmp
PID 3812 wrote to memory of 3048	3812	cheat_417615128.exe	cheat_417615128.tmp
PID 3812 wrote to memory of 3048	3812	cheat_417615128.exe	cheat_417615128.tmp
PID 3048 wrote to memory of 416	3048	cheat_417615128.tmp	Fugiat.exe
PID 3048 wrote to memory of 416	3048	cheat_417615128.tmp	Fugiat.exe
PID 3048 wrote to memory of 416	3048	cheat_417615128.tmp	Fugiat.exe

C:\Users\Admin\AppData\Local\Temp\cheat_417615128.exe
"C:\Users\Admin\AppData\Local\Temp\cheat_417615128.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\is-TDE9M.tmp\cheat_417615128.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TDE9M.tmp\cheat_417615128.tmp" /SL5="$2011C,2523301,119296,C:\Users\Admin\AppData\Local\Temp\cheat_417615128.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\is-1CFG2.tmp\Fugiat.exe
"C:\Users\Admin\AppData\Local\Temp\is-1CFG2.tmp\Fugiat.exe" a80b65d8bd2d53cc257dd27cf45cd04b
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 820
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 796
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 800
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 968
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 992
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 992
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 936
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1116
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1084
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1112
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1152
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1336
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1308
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1384
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1CFG2.tmp\Fugiat.exe
MD5
953dd51dcffb3947f4dd9380a9722205

SHA1
18ef0815ea99cae76be5d5ba2ad10fedca62bdb9

SHA256
11cd6bbb714b8661b2c8bda0979fdc28625737d4ad7b11c5e1c88b79eded61d7

SHA512
ca5e333c77271aeb37fa9149371a282a8dc2e9b9d93809f497bee0f437fa8b36e75999ad946344046890126385616259f9b60ed7590ba3f86d55d48ac5d858e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1CFG2.tmp\Fugiat.exe
MD5
953dd51dcffb3947f4dd9380a9722205

SHA1
18ef0815ea99cae76be5d5ba2ad10fedca62bdb9

SHA256
11cd6bbb714b8661b2c8bda0979fdc28625737d4ad7b11c5e1c88b79eded61d7

SHA512
ca5e333c77271aeb37fa9149371a282a8dc2e9b9d93809f497bee0f437fa8b36e75999ad946344046890126385616259f9b60ed7590ba3f86d55d48ac5d858e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1CFG2.tmp\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TDE9M.tmp\cheat_417615128.tmp
MD5
6a96bef4679e16a54b4090e74664dcca

SHA1
c8631c1624b98f6709b1ac37ce3956faed29bc30

SHA256
cb095356ddcfcbace96c6252fb73a267ed011c15ff206a7a9302007baa68a783

SHA512
924ab1e5c6ea72342eab6e78899a56c415e90020c46d3d8a81ae4da9276db7ea1df9684965a81fb95a6f2f9cf103b31413d67770eb15725ad04198c5d00037d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-1CFG2.tmp\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/416-12-0x0000000000400000-0x0000000001458000-memory.dmp

Filesize
16.3MB

Download
memory/416-10-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/416-11-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/416-6-0x0000000000000000-mapping.dmp

Download
memory/416-13-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/1120-21-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1404-16-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/1756-18-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/2124-22-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/2220-27-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/2312-17-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/2612-28-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/2616-19-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/2648-26-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/2724-25-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3048-2-0x0000000000000000-mapping.dmp

Download
memory/3048-5-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3160-20-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/3780-24-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/3812-4-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3992-14-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4028-23-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads