Analysis
-
max time kernel
333s -
max time network
836s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 09:05
Static task
static1
General
-
Target
5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe
-
Size
505KB
-
MD5
4d5abd974d213339274581a49e9c2780
-
SHA1
84d211bdd139ac61f760a3d396c7e19680163313
-
SHA256
5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994
-
SHA512
0d3daa629fc8161028358b4a496eac4427f2cc9f30999b1a02e89d7a7104ded24e33687c31f7cc2d6b1c5e89e14689b7a265d3b1b4e581a91f03047a52045dcd
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exedescription pid process target process PID 756 set thread context of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4476 756 WerFault.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe 4476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4476 WerFault.exe Token: SeBackupPrivilege 4476 WerFault.exe Token: SeDebugPrivilege 4476 WerFault.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exedescription pid process target process PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe PID 756 wrote to memory of 4588 756 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994.bin.sample.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 5442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken