Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
18-10-2021 11:30
Static task
static1
Behavioral task
behavioral1
Sample
737732b33bdfa729010c81fba507c59e.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
737732b33bdfa729010c81fba507c59e.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
737732b33bdfa729010c81fba507c59e.exe
-
Size
76KB
-
MD5
737732b33bdfa729010c81fba507c59e
-
SHA1
a4fe38b55f7ea8618ced754eedbfdfee9b7da5a6
-
SHA256
e01b0ac8411fc377c317ed6aabf5656b400c17bbb4a61b55204ea335bbe2f0ce
-
SHA512
c699c29e68290d0ae6c3a4f392ccb73e29ef00b8808e643a7ca90cbcccd91afa8916c576aba7a48ca79d316bebc332b37f6748ad89b92ef50bab6b93c34be1f9
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 924 1544 WerFault.exe 737732b33bdfa729010c81fba507c59e.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 924 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
737732b33bdfa729010c81fba507c59e.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1544 737732b33bdfa729010c81fba507c59e.exe Token: SeDebugPrivilege 924 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
737732b33bdfa729010c81fba507c59e.exedescription pid process target process PID 1544 wrote to memory of 924 1544 737732b33bdfa729010c81fba507c59e.exe WerFault.exe PID 1544 wrote to memory of 924 1544 737732b33bdfa729010c81fba507c59e.exe WerFault.exe PID 1544 wrote to memory of 924 1544 737732b33bdfa729010c81fba507c59e.exe WerFault.exe PID 1544 wrote to memory of 924 1544 737732b33bdfa729010c81fba507c59e.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\737732b33bdfa729010c81fba507c59e.exe"C:\Users\Admin\AppData\Local\Temp\737732b33bdfa729010c81fba507c59e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 10722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/924-58-0x0000000000000000-mapping.dmp
-
memory/924-59-0x00000000003F0000-0x0000000000408000-memory.dmpFilesize
96KB
-
memory/1544-54-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/1544-56-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1544-57-0x0000000074B91000-0x0000000074B93000-memory.dmpFilesize
8KB