Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 15:17
Static task
static1
Behavioral task
behavioral1
Sample
d0e763139d8ae4919323f584a1750cfe.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d0e763139d8ae4919323f584a1750cfe.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
d0e763139d8ae4919323f584a1750cfe.exe
-
Size
46KB
-
MD5
d0e763139d8ae4919323f584a1750cfe
-
SHA1
09cd2fd8de9b4968c9ea154c5f71c3273fc74087
-
SHA256
8ecd99368b83efde6f0d0d538e135394c5aec47faf430e86c5d9449eb0c9f770
-
SHA512
bc2a9c9fc703cedec5dfe087fb36f5eadd9335420c07018c7dfcf2ed45296370cc37b4e8da5afbcf12831ed94037281a64f37fa90cf75adc61bfe11506fe7700
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1476 1688 WerFault.exe d0e763139d8ae4919323f584a1750cfe.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d0e763139d8ae4919323f584a1750cfe.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1688 d0e763139d8ae4919323f584a1750cfe.exe Token: SeDebugPrivilege 1476 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d0e763139d8ae4919323f584a1750cfe.exedescription pid process target process PID 1688 wrote to memory of 1476 1688 d0e763139d8ae4919323f584a1750cfe.exe WerFault.exe PID 1688 wrote to memory of 1476 1688 d0e763139d8ae4919323f584a1750cfe.exe WerFault.exe PID 1688 wrote to memory of 1476 1688 d0e763139d8ae4919323f584a1750cfe.exe WerFault.exe PID 1688 wrote to memory of 1476 1688 d0e763139d8ae4919323f584a1750cfe.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe"C:\Users\Admin\AppData\Local\Temp\d0e763139d8ae4919323f584a1750cfe.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 10602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1476-59-0x0000000000000000-mapping.dmp
-
memory/1476-61-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1688-55-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/1688-57-0x0000000074F61000-0x0000000074F63000-memory.dmpFilesize
8KB
-
memory/1688-58-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB