Analysis
-
max time kernel
112s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 18:01
Static task
static1
Behavioral task
behavioral1
Sample
bobb4567.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
bobb4567.exe
-
Size
245KB
-
MD5
90825728992d0ef937e2523370e34b31
-
SHA1
7b9a3d06e10d3ccb32a8be5a98ec253bbc0bdebf
-
SHA256
9598f7ebeef58e063e6e5de7da5ea2775991628d11c4fae3e3e2854fa22065eb
-
SHA512
dc180827a8ba8f24dbf20f38091e1bee6c96776399733bf6519e567c0072ae5907abeaeea5873630a4a9057ec34370bbee47042c7b7e5d4e143ac6cac105f370
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bobb4567.exedescription pid process target process PID 940 set thread context of 1976 940 bobb4567.exe bobb4567.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2000 1976 WerFault.exe bobb4567.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 2000 WerFault.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
bobb4567.exepid process 940 bobb4567.exe 940 bobb4567.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2000 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bobb4567.exebobb4567.exedescription pid process target process PID 940 wrote to memory of 1976 940 bobb4567.exe bobb4567.exe PID 940 wrote to memory of 1976 940 bobb4567.exe bobb4567.exe PID 940 wrote to memory of 1976 940 bobb4567.exe bobb4567.exe PID 940 wrote to memory of 1976 940 bobb4567.exe bobb4567.exe PID 940 wrote to memory of 1976 940 bobb4567.exe bobb4567.exe PID 1976 wrote to memory of 2000 1976 bobb4567.exe WerFault.exe PID 1976 wrote to memory of 2000 1976 bobb4567.exe WerFault.exe PID 1976 wrote to memory of 2000 1976 bobb4567.exe WerFault.exe PID 1976 wrote to memory of 2000 1976 bobb4567.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/940-59-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/940-62-0x00000000000F0000-0x00000000000F2000-memory.dmpFilesize
8KB
-
memory/1976-60-0x000000000009EB60-mapping.dmp
-
memory/2000-61-0x0000000000000000-mapping.dmp
-
memory/2000-64-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB