a28c434e703d9d0961f526f87a61109c.exe

General
Target

a28c434e703d9d0961f526f87a61109c.exe

Filesize

662KB

Completed

25-11-2021 16:49

Score
3/10
MD5

a28c434e703d9d0961f526f87a61109c

SHA1

c18ce22d993ee202d7c4e91aeda8f602a1ddb054

SHA256

1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

Malware Config
Signatures 5

Filter: none

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    2761992WerFault.exea28c434e703d9d0961f526f87a61109c.exe
  • Suspicious behavior: EnumeratesProcesses
    a28c434e703d9d0961f526f87a61109c.exeWerFault.exe

    Reported IOCs

    pidprocess
    1992a28c434e703d9d0961f526f87a61109c.exe
    276WerFault.exe
    276WerFault.exe
    276WerFault.exe
    276WerFault.exe
    276WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    276WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    a28c434e703d9d0961f526f87a61109c.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1992a28c434e703d9d0961f526f87a61109c.exe
    Token: SeDebugPrivilege276WerFault.exe
  • Suspicious use of WriteProcessMemory
    a28c434e703d9d0961f526f87a61109c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1992 wrote to memory of 2761992a28c434e703d9d0961f526f87a61109c.exeWerFault.exe
    PID 1992 wrote to memory of 2761992a28c434e703d9d0961f526f87a61109c.exeWerFault.exe
    PID 1992 wrote to memory of 2761992a28c434e703d9d0961f526f87a61109c.exeWerFault.exe
    PID 1992 wrote to memory of 2761992a28c434e703d9d0961f526f87a61109c.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe
    "C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 656
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:276
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/276-62-0x0000000000320000-0x0000000000321000-memory.dmp

                          • memory/276-61-0x0000000000000000-mapping.dmp

                          • memory/1992-57-0x0000000000AE0000-0x0000000000B5B000-memory.dmp

                          • memory/1992-58-0x0000000000D60000-0x0000000000D61000-memory.dmp

                          • memory/1992-59-0x0000000000A70000-0x0000000000A97000-memory.dmp

                          • memory/1992-60-0x0000000000580000-0x000000000059B000-memory.dmp

                          • memory/1992-55-0x0000000000F50000-0x0000000000F51000-memory.dmp