Analysis
-
max time kernel
110s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
2e86f7dfe3f2f795ef1995bd9d6efdea.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2e86f7dfe3f2f795ef1995bd9d6efdea.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
2e86f7dfe3f2f795ef1995bd9d6efdea.exe
-
Size
390KB
-
MD5
2e86f7dfe3f2f795ef1995bd9d6efdea
-
SHA1
a2c279c2c2ffd37bd6ee59eadfe037d7e3524c1e
-
SHA256
20e5765385bc92922a64f7454367d98a77693adfd62bcb4a44703705ddffbdb0
-
SHA512
1c3aca6e80ddd3353c0fcb62895c81b3e398a44d40539dba37768e11ca6eb0cb7657d4a1b4d3878a3e0317153a2629288f34e34d15f2b6eaea26aebd704b18d0
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1460 created 3208 1460 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe -
Downloads MZ/PE file
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4560 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 4456 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 3304 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 640 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 856 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 360 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 1200 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 1272 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe 1460 3208 WerFault.exe 2e86f7dfe3f2f795ef1995bd9d6efdea.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4560 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 4456 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 360 WerFault.exe 360 WerFault.exe 360 WerFault.exe 360 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4560 WerFault.exe Token: SeBackupPrivilege 4560 WerFault.exe Token: SeDebugPrivilege 4560 WerFault.exe Token: SeDebugPrivilege 4456 WerFault.exe Token: SeDebugPrivilege 3304 WerFault.exe Token: SeDebugPrivilege 640 WerFault.exe Token: SeDebugPrivilege 856 WerFault.exe Token: SeDebugPrivilege 360 WerFault.exe Token: SeDebugPrivilege 1200 WerFault.exe Token: SeDebugPrivilege 1272 WerFault.exe Token: SeDebugPrivilege 1460 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e86f7dfe3f2f795ef1995bd9d6efdea.exe"C:\Users\Admin\AppData\Local\Temp\2e86f7dfe3f2f795ef1995bd9d6efdea.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 6602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 7402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 7722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 7922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 8402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 8882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 12962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 13082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 14082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken