Analysis
-
max time kernel
14s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-04-2021 07:53
Static task
static1
Behavioral task
behavioral1
Sample
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Resource
win10v20210408
General
-
Target
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
-
Size
242KB
-
MD5
c5d02a59e543e126359998b982e87d45
-
SHA1
e6960b254e0215493a29471949b1ff84b6da1b59
-
SHA256
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51
-
SHA512
6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2796 created 488 2796 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 664 488 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 196 488 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 764 488 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 2296 488 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 2228 488 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 2796 488 WerFault.exe 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 664 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 764 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 2228 WerFault.exe 2228 WerFault.exe 2228 WerFault.exe 2228 WerFault.exe 2228 WerFault.exe 2228 WerFault.exe 2228 WerFault.exe 2228 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 664 WerFault.exe Token: SeBackupPrivilege 664 WerFault.exe Token: SeDebugPrivilege 664 WerFault.exe Token: SeDebugPrivilege 196 WerFault.exe Token: SeDebugPrivilege 764 WerFault.exe Token: SeDebugPrivilege 2296 WerFault.exe Token: SeDebugPrivilege 2228 WerFault.exe Token: SeDebugPrivilege 2796 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe"C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 6602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 6922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 6802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 7842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 8162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 8762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken