Analysis
-
max time kernel
127s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
18-10-2021 23:37
Static task
static1
Behavioral task
behavioral1
Sample
8a5336e1f45a85b04b3b8930a714a7b0.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
8a5336e1f45a85b04b3b8930a714a7b0.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
8a5336e1f45a85b04b3b8930a714a7b0.exe
-
Size
84KB
-
MD5
8a5336e1f45a85b04b3b8930a714a7b0
-
SHA1
2bac2e1ddfebabfe1e8f15301434b47be53063c9
-
SHA256
a2be24512daa156d5c3cd4726819d6cb085e77a1d8f3a6b2c6bfc26221f8853c
-
SHA512
5f6a66e86b094b4e136fe195104620c18c406ff5eef7d12d0c1d041145d0b65ab5e76a99406c935f5bc8ca91df0706a777d5d701cbdf6a57369fd88382c7a2f7
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 564 1468 WerFault.exe 8a5336e1f45a85b04b3b8930a714a7b0.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 564 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8a5336e1f45a85b04b3b8930a714a7b0.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1468 8a5336e1f45a85b04b3b8930a714a7b0.exe Token: SeDebugPrivilege 564 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8a5336e1f45a85b04b3b8930a714a7b0.exedescription pid process target process PID 1468 wrote to memory of 564 1468 8a5336e1f45a85b04b3b8930a714a7b0.exe WerFault.exe PID 1468 wrote to memory of 564 1468 8a5336e1f45a85b04b3b8930a714a7b0.exe WerFault.exe PID 1468 wrote to memory of 564 1468 8a5336e1f45a85b04b3b8930a714a7b0.exe WerFault.exe PID 1468 wrote to memory of 564 1468 8a5336e1f45a85b04b3b8930a714a7b0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a5336e1f45a85b04b3b8930a714a7b0.exe"C:\Users\Admin\AppData\Local\Temp\8a5336e1f45a85b04b3b8930a714a7b0.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 16202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/564-58-0x0000000000000000-mapping.dmp
-
memory/564-59-0x00000000002B0000-0x00000000002CA000-memory.dmpFilesize
104KB
-
memory/1468-54-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/1468-56-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/1468-57-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB