a28c434e703d9d0961f526f87a61109c.exe

max time kernel119s
max time network119s
platformwindows7_x64
resourcewin7-en-20211104
submitted25-11-2021 16:47

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Filesize

662KB

Completed

25-11-2021 16:49

Score

3^/10

MD5

a28c434e703d9d0961f526f87a61109c

SHA1

c18ce22d993ee202d7c4e91aeda8f602a1ddb054

SHA256

1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

Program crash
WerFault.exe

Reported IOCs

pid pid_target process target process

276 1992 WerFault.exe a28c434e703d9d0961f526f87a61109c.exe
Suspicious behavior: EnumeratesProcesses
a28c434e703d9d0961f526f87a61109c.exeWerFault.exe

Reported IOCs

pid process

1992 a28c434e703d9d0961f526f87a61109c.exe
276 WerFault.exe
276 WerFault.exe
276 WerFault.exe
276 WerFault.exe
276 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam
WerFault.exe

Reported IOCs

pid process

276 WerFault.exe
Suspicious use of AdjustPrivilegeToken
a28c434e703d9d0961f526f87a61109c.exeWerFault.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1992 a28c434e703d9d0961f526f87a61109c.exe
Token: SeDebugPrivilege 276 WerFault.exe

pid	pid_target	process	target process
276	1992	WerFault.exe	a28c434e703d9d0961f526f87a61109c.exe

pid	process
1992	a28c434e703d9d0961f526f87a61109c.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe
276	WerFault.exe

pid	process
276	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1992	a28c434e703d9d0961f526f87a61109c.exe
Token: SeDebugPrivilege	276	WerFault.exe

Suspicious use of WriteProcessMemory

a28c434e703d9d0961f526f87a61109c.exe

Reported IOCs

description	pid	process	target process
PID 1992 wrote to memory of 276	1992	a28c434e703d9d0961f526f87a61109c.exe	WerFault.exe
PID 1992 wrote to memory of 276	1992	a28c434e703d9d0961f526f87a61109c.exe	WerFault.exe
PID 1992 wrote to memory of 276	1992	a28c434e703d9d0961f526f87a61109c.exe	WerFault.exe
PID 1992 wrote to memory of 276	1992	a28c434e703d9d0961f526f87a61109c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe

"C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 656

Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken

PID:276

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/276-62-0x0000000000320000-0x0000000000321000-memory.dmp

Download
memory/276-61-0x0000000000000000-mapping.dmp

Download
memory/1992-57-0x0000000000AE0000-0x0000000000B5B000-memory.dmp

Download
memory/1992-58-0x0000000000D60000-0x0000000000D61000-memory.dmp

Download
memory/1992-59-0x0000000000A70000-0x0000000000A97000-memory.dmp

Download
memory/1992-60-0x0000000000580000-0x000000000059B000-memory.dmp

Download
memory/1992-55-0x0000000000F50000-0x0000000000F51000-memory.dmp

Download

a28c434e703d9d0961f526f87a61109c.exe

Filter: none

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title