Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en -
submitted
15-09-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
a6fc0d48408d69e288d47a21659176f1.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a6fc0d48408d69e288d47a21659176f1.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
a6fc0d48408d69e288d47a21659176f1.exe
-
Size
841KB
-
MD5
a6fc0d48408d69e288d47a21659176f1
-
SHA1
dec8694a310328e062aeec260b84792f0ac11250
-
SHA256
4e86e4ab9e20e94144838555a5e28d455f8998142d53a46f659cc9d07b2f458d
-
SHA512
903a2f49b5bc8371ff4cd8bd10b9c49f1258293ca55c450aca5661b6c93d44ca811eb716afb14df620d40c1daae80f115dc5a31c494b7d14165d77c526a9a980
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1728 1476 WerFault.exe a6fc0d48408d69e288d47a21659176f1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe 1728 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1728 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1728 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a6fc0d48408d69e288d47a21659176f1.exedescription pid process target process PID 1476 wrote to memory of 1728 1476 a6fc0d48408d69e288d47a21659176f1.exe WerFault.exe PID 1476 wrote to memory of 1728 1476 a6fc0d48408d69e288d47a21659176f1.exe WerFault.exe PID 1476 wrote to memory of 1728 1476 a6fc0d48408d69e288d47a21659176f1.exe WerFault.exe PID 1476 wrote to memory of 1728 1476 a6fc0d48408d69e288d47a21659176f1.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6fc0d48408d69e288d47a21659176f1.exe"C:\Users\Admin\AppData\Local\Temp\a6fc0d48408d69e288d47a21659176f1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1476-53-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1476-54-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1728-55-0x0000000000000000-mapping.dmp
-
memory/1728-57-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB