Analysis
-
max time kernel
11s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 18:29
Static task
static1
Behavioral task
behavioral1
Sample
countViewSelect.hta
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
countViewSelect.hta
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
countViewSelect.hta
-
Size
3KB
-
MD5
a1f07f22e32902cf1c2493e3886e4ee6
-
SHA1
af0d2e3e25b4c406b6f43585a66b2b2e7a4d527c
-
SHA256
1b61d75451a001135e801d87d846f97819c3bb43419d95bacbe5c5593632ffc2
-
SHA512
afe32dc8f0477df39a0f0327eba321a3a37cc114bb8c4e4a4e689038c2cec438a819b29f33c415acf2166197e70ff43363bf11f17be09dd5c711b3dac4df62d7
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3576 created 2208 3576 WerFault.exe mshta.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2780 2208 WerFault.exe mshta.exe 3576 2208 WerFault.exe mshta.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2780 WerFault.exe Token: SeBackupPrivilege 2780 WerFault.exe Token: SeDebugPrivilege 2780 WerFault.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\countViewSelect.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 13322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 16242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash