Overview

overview

10

Static

static

5yyNVbMOOj...Pt.exe

windows7_x64

10

5yyNVbMOOj...Pt.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    16-10-2021 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5yyNVbMOOjT1pLcNXc3B1EPt.exe

  • Size

    394KB

  • MD5

    47e59166e719f7e4641e5462be5fdc80

  • SHA1

    08e9365dc59124e24c193f636b11ae8fc27c28c5

  • SHA256

    fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c

  • SHA512

    3fd806dab8c7a673cb46d938c456f59563f61ac3506a2b5c051165f8330ac367a54db091ecc0cdaddfbfb9545af17423378e31f97e2dc10fe3f9c516ce33f40d

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5yyNVbMOOjT1pLcNXc3B1EPt.exe
    "C:\Users\Admin\AppData\Local\Temp\5yyNVbMOOjT1pLcNXc3B1EPt.exe"
    1⤵
      PID:1872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 656
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3524
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 640
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 624
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 768
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 784
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1084

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1872-115-0x0000000001999000-0x00000000019C2000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1872-117-0x0000000000400000-0x00000000016D5000-memory.dmp
      Filesize

      18.8MB

      Download
    • memory/1872-116-0x0000000003420000-0x0000000003469000-memory.dmp
      Filesize

      292KB

      Download