samples.zip

General
Target

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

Filesize

898KB

Completed

08-09-2021 12:51

Score
3/10
MD5

cb2b4cd74c7b57a12bd822a168e4e608

SHA1

f2182062719f0537071545b77ca75f39c2922bf5

SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed

Malware Config
Signatures 4

Filter: none

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    38563908WerFault.exe5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
  • NTFS ADS
    5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Local\Temp\򬁏C:\Windows\SysWOW645987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
    3856WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege3856WerFault.exe
    Token: SeBackupPrivilege3856WerFault.exe
    Token: SeDebugPrivilege3856WerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe"
    NTFS ADS
    PID:3908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1524
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3856
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/3908-115-0x0000000000EC0000-0x0000000000EF3000-memory.dmp