Analysis
-
max time kernel
110s -
max time network
50s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-09-2021 14:53
Static task
static1
Behavioral task
behavioral1
Sample
ad8486d833e43c854bdcfc46cad06eca.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ad8486d833e43c854bdcfc46cad06eca.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
ad8486d833e43c854bdcfc46cad06eca.exe
-
Size
69KB
-
MD5
ad8486d833e43c854bdcfc46cad06eca
-
SHA1
12c4b312e4c67bc31d6147dd40de1a0dae353821
-
SHA256
ac0ad304ab1e7320f73c544f59addcd0140f15e7b55cf81a9c5a72908a9657d2
-
SHA512
28c50d73b738c2803880c6ca2f7fbc22152949e5b3d0684933ce90a71196be99a2365cb229a0d02b3e56ef4c2ee0bef1b9ac60f08fab32ab72771d8c5d01a9b7
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2016 1944 WerFault.exe ad8486d833e43c854bdcfc46cad06eca.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 2016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ad8486d833e43c854bdcfc46cad06eca.exedescription pid process target process PID 1944 wrote to memory of 2016 1944 ad8486d833e43c854bdcfc46cad06eca.exe WerFault.exe PID 1944 wrote to memory of 2016 1944 ad8486d833e43c854bdcfc46cad06eca.exe WerFault.exe PID 1944 wrote to memory of 2016 1944 ad8486d833e43c854bdcfc46cad06eca.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad8486d833e43c854bdcfc46cad06eca.exe"C:\Users\Admin\AppData\Local\Temp\ad8486d833e43c854bdcfc46cad06eca.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1944 -s 5202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1944-60-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/1944-62-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/2016-63-0x0000000000000000-mapping.dmp
-
memory/2016-64-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/2016-65-0x0000000001E40000-0x0000000001E41000-memory.dmpFilesize
4KB