samples.zip

General
Target

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

Filesize

898KB

Completed

08-09-2021 12:52

Score
3/10
MD5

cb2b4cd74c7b57a12bd822a168e4e608

SHA1

f2182062719f0537071545b77ca75f39c2922bf5

SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

Malware Config
Signatures 5

Filter: none

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    15881696WerFault.exe5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1588WerFault.exe
    1588WerFault.exe
    1588WerFault.exe
    1588WerFault.exe
    1588WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    1588WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1588WerFault.exe
  • Suspicious use of WriteProcessMemory
    5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1696 wrote to memory of 158816965987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exeWerFault.exe
    PID 1696 wrote to memory of 158816965987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exeWerFault.exe
    PID 1696 wrote to memory of 158816965987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exeWerFault.exe
    PID 1696 wrote to memory of 158816965987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe"
    Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 924
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1588
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1588-61-0x0000000000000000-mapping.dmp

                          • memory/1588-62-0x0000000000530000-0x0000000000531000-memory.dmp

                          • memory/1696-59-0x0000000075211000-0x0000000075213000-memory.dmp

                          • memory/1696-60-0x0000000000360000-0x0000000000393000-memory.dmp