Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 03:54
Static task
static1
Behavioral task
behavioral1
Sample
Q-700004637 1004913.exe
Resource
win7-en-20210920
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Q-700004637 1004913.exe
Resource
win10-en-20211014
0 signatures
0 seconds
General
-
Target
Q-700004637 1004913.exe
-
Size
22KB
-
MD5
75b7a294df955b78f7adf5882e600273
-
SHA1
df8f94ca5d228dcbda81efd0f8a0f37ff5ffa459
-
SHA256
d3c93ce13c0f0a8dd07512cb0cf5ca7474983e15e136022cd98c4ab9b6063bd4
-
SHA512
7b4c28d71348e798f3ddc7084767424754556a02a436b91e7516408b75031df32b4ba08fc60d658aeb381538c89bdf867373127ef29f6b03ec1ece56cf2e6da6
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1472 1192 WerFault.exe Q-700004637 1004913.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1472 WerFault.exe 1472 WerFault.exe 1472 WerFault.exe 1472 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1472 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Q-700004637 1004913.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1192 Q-700004637 1004913.exe Token: SeDebugPrivilege 1472 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Q-700004637 1004913.exedescription pid process target process PID 1192 wrote to memory of 1472 1192 Q-700004637 1004913.exe WerFault.exe PID 1192 wrote to memory of 1472 1192 Q-700004637 1004913.exe WerFault.exe PID 1192 wrote to memory of 1472 1192 Q-700004637 1004913.exe WerFault.exe PID 1192 wrote to memory of 1472 1192 Q-700004637 1004913.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q-700004637 1004913.exe"C:\Users\Admin\AppData\Local\Temp\Q-700004637 1004913.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 15482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-53-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/1192-55-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/1192-56-0x00000000021D0000-0x00000000021D1000-memory.dmpFilesize
4KB
-
memory/1472-57-0x0000000000000000-mapping.dmp
-
memory/1472-58-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB