Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 06:24
Static task
static1
Behavioral task
behavioral1
Sample
6eba0e7094858880964c58e41c552db4.exe
Resource
win7-en-20211014
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6eba0e7094858880964c58e41c552db4.exe
Resource
win10-en-20210920
0 signatures
0 seconds
General
-
Target
6eba0e7094858880964c58e41c552db4.exe
-
Size
49KB
-
MD5
6eba0e7094858880964c58e41c552db4
-
SHA1
24bcd038d9b29d3b6eec68966f7b71b167396ab5
-
SHA256
fd231e801904a830dff83d1820747640d913afe2d3cae55b30625cbf775f1ba3
-
SHA512
3aedf6562308f5317f07b0e1a17388aaafc9725b15034c998fe5768683e49017bc2c6be1cbea073ce37d843ecb9521700f196d893fadd7a6e4c4dc58a5b07079
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1572 1440 WerFault.exe 6eba0e7094858880964c58e41c552db4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1572 WerFault.exe 1572 WerFault.exe 1572 WerFault.exe 1572 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6eba0e7094858880964c58e41c552db4.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1440 6eba0e7094858880964c58e41c552db4.exe Token: SeDebugPrivilege 1572 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6eba0e7094858880964c58e41c552db4.exedescription pid process target process PID 1440 wrote to memory of 1572 1440 6eba0e7094858880964c58e41c552db4.exe WerFault.exe PID 1440 wrote to memory of 1572 1440 6eba0e7094858880964c58e41c552db4.exe WerFault.exe PID 1440 wrote to memory of 1572 1440 6eba0e7094858880964c58e41c552db4.exe WerFault.exe PID 1440 wrote to memory of 1572 1440 6eba0e7094858880964c58e41c552db4.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eba0e7094858880964c58e41c552db4.exe"C:\Users\Admin\AppData\Local\Temp\6eba0e7094858880964c58e41c552db4.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 10602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1440-55-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/1440-57-0x0000000075F41000-0x0000000075F43000-memory.dmpFilesize
8KB
-
memory/1440-58-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/1572-59-0x0000000000000000-mapping.dmp
-
memory/1572-61-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB