Analysis
-
max time kernel
36s -
max time network
33s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 23:13
Static task
static1
Behavioral task
behavioral1
Sample
dottwitch.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dottwitch.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
dottwitch.exe
-
Size
78KB
-
MD5
19ca826fb47911d0f28d5f3a581fa04e
-
SHA1
7f68c84eee75ee8a2357b570140466cdcbacc8eb
-
SHA256
93b99f8ca3f18926d2405d337bf047fb419c8bfd898aeab2f74108833fca85ae
-
SHA512
1f4057c5bcd74be122e068ac3a23a8d802aa19136146a06d47720ce797c51ce4982d6e9e10034b5192122f0c0f7f44c199d3146af63eded78cb08c8f1b6bf532
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 300 2008 WerFault.exe dottwitch.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe 300 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 300 WerFault.exe Token: 33 1520 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1520 AUDIODG.EXE Token: 33 1520 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1520 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
dottwitch.exedescription pid process target process PID 2008 wrote to memory of 300 2008 dottwitch.exe WerFault.exe PID 2008 wrote to memory of 300 2008 dottwitch.exe WerFault.exe PID 2008 wrote to memory of 300 2008 dottwitch.exe WerFault.exe PID 2008 wrote to memory of 300 2008 dottwitch.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dottwitch.exe"C:\Users\Admin\AppData\Local\Temp\dottwitch.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 5442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5ac1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/300-5-0x0000000000000000-mapping.dmp
-
memory/300-6-0x0000000001E00000-0x0000000001E11000-memory.dmpFilesize
68KB
-
memory/300-7-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1324-11-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/1504-8-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/1504-9-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/2008-2-0x0000000073AF0000-0x00000000741DE000-memory.dmpFilesize
6.9MB
-
memory/2008-3-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB