29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1

Analysis

max time kernel
12s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
28-03-2021 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe
Size

13KB
MD5

b5ea5f2650f82f53059635551ae31469
SHA1

2ac0d73eaf8db34d0f5650b65b8619901b78c915
SHA256

29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1
SHA512

c5e4752e5b96b78ac3679ddb1ba93d7ac41602fe5c045662da83c94521e2f8a55f00e3106157ed6d02406ca1bc1bce5ce76faa2ba9455fc6f1c1e38e13051d92

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1236 created 60	1236	WerFault.exe	78

Executes dropped EXE 1 IoCs

pid	Process
60	nigger.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 1092	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	77

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2192	1092	WerFault.exe	77
3056	60	WerFault.exe	78
3152	60	WerFault.exe	78
2852	60	WerFault.exe	78
1352	60	WerFault.exe	78
4092	60	WerFault.exe	78
2140	60	WerFault.exe	78
4064	60	WerFault.exe	78
1236	60	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	3056	WerFault.exe
Token: SeBackupPrivilege	3056	WerFault.exe
Token: SeDebugPrivilege	3056	WerFault.exe
Token: SeDebugPrivilege	3152	WerFault.exe
Token: SeDebugPrivilege	2852	WerFault.exe
Token: SeDebugPrivilege	1352	WerFault.exe
Token: SeDebugPrivilege	4092	WerFault.exe
Token: SeDebugPrivilege	2140	WerFault.exe
Token: SeDebugPrivilege	4064	WerFault.exe
Token: SeDebugPrivilege	1236	WerFault.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1092	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	77
PID 880 wrote to memory of 1092	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	77
PID 880 wrote to memory of 1092	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	77
PID 880 wrote to memory of 1092	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	77
PID 880 wrote to memory of 60	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	78
PID 880 wrote to memory of 60	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	78
PID 880 wrote to memory of 60	880	SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe	78

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.exe"
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 104
    3⤵
    - Program crash
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\nigger.exe
  "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
  2⤵
  - Executes dropped EXE
  PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 656
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 768
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 544
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 804
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 904
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1304
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1316
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1332
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-13-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/60-9-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/60-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-38-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1352-21-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/1352-24-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2140-32-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/2192-8-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/2852-18-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3056-11-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3056-10-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3152-15-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4064-35-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4092-25-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download