Analysis
-
max time kernel
19s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-06-2021 16:49
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
41KB
-
MD5
b580c140a245f68291f7d4159272beeb
-
SHA1
96d61bb4105f2a331bb3d7b733d77666286e8954
-
SHA256
291dd93ff5ffd7c8c108767855b77b3a1fbae2755cc650b884f42e1903884041
-
SHA512
5241380c3613e11de37c2125de09b80933b4bd2e8a1def667fd035bea3f0a7c5e5d7707d940fea8d7e4aab1030fac0c03318e84717ba2feccfad7f01b0b1e676
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.cock.li - Port:
587 - Username:
SendServerInfo@hitler.rocks - Password:
jesuscrypt
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3692 created 624 3692 WerFault.exe sample.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1796 624 WerFault.exe sample.exe 3692 624 WerFault.exe sample.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
sample.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 624 sample.exe Token: SeRestorePrivilege 1796 WerFault.exe Token: SeBackupPrivilege 1796 WerFault.exe Token: SeDebugPrivilege 1796 WerFault.exe Token: SeDebugPrivilege 3692 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 17242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 17402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-114-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/624-116-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/624-117-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/624-118-0x0000000005670000-0x0000000005B6E000-memory.dmpFilesize
5.0MB
-
memory/624-119-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB