Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
16-10-2021 02:56
Static task
static1
Behavioral task
behavioral1
Sample
5yyNVbMOOjT1pLcNXc3B1EPt.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5yyNVbMOOjT1pLcNXc3B1EPt.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
5yyNVbMOOjT1pLcNXc3B1EPt.exe
-
Size
394KB
-
MD5
47e59166e719f7e4641e5462be5fdc80
-
SHA1
08e9365dc59124e24c193f636b11ae8fc27c28c5
-
SHA256
fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c
-
SHA512
3fd806dab8c7a673cb46d938c456f59563f61ac3506a2b5c051165f8330ac367a54db091ecc0cdaddfbfb9545af17423378e31f97e2dc10fe3f9c516ce33f40d
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1084 created 1872 1084 WerFault.exe 5yyNVbMOOjT1pLcNXc3B1EPt.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3524 1872 WerFault.exe 5yyNVbMOOjT1pLcNXc3B1EPt.exe 996 1872 WerFault.exe 5yyNVbMOOjT1pLcNXc3B1EPt.exe 600 1872 WerFault.exe 5yyNVbMOOjT1pLcNXc3B1EPt.exe 1012 1872 WerFault.exe 5yyNVbMOOjT1pLcNXc3B1EPt.exe 1084 1872 WerFault.exe 5yyNVbMOOjT1pLcNXc3B1EPt.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3524 WerFault.exe Token: SeBackupPrivilege 3524 WerFault.exe Token: SeDebugPrivilege 3524 WerFault.exe Token: SeDebugPrivilege 996 WerFault.exe Token: SeDebugPrivilege 600 WerFault.exe Token: SeDebugPrivilege 1012 WerFault.exe Token: SeDebugPrivilege 1084 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5yyNVbMOOjT1pLcNXc3B1EPt.exe"C:\Users\Admin\AppData\Local\Temp\5yyNVbMOOjT1pLcNXc3B1EPt.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 6562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 6402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 6242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 7682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 7842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken