Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 22:16
Static task
static1
Behavioral task
behavioral1
Sample
yYa94CeATF8h2NA.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
yYa94CeATF8h2NA.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
yYa94CeATF8h2NA.exe
-
Size
487KB
-
MD5
5cd8d1a09875ac9ca4704234e681576b
-
SHA1
7fee9885235274a68ae46eabd4787e9af79862f7
-
SHA256
9aec6016c9ca5c060524efa96f6c278fd648bb7df9a0c31c4e870b2e05d01155
-
SHA512
d531b0cdad852b28ae5cea633976fc43c64c54fc851f3100fb3ed550d126ff1b0081aba576aa96d2898411165c61c5cade6d8e610606855c7925424e2b39512c
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1948 1156 WerFault.exe yYa94CeATF8h2NA.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
yYa94CeATF8h2NA.exeWerFault.exepid process 1156 yYa94CeATF8h2NA.exe 1156 yYa94CeATF8h2NA.exe 1156 yYa94CeATF8h2NA.exe 1156 yYa94CeATF8h2NA.exe 1156 yYa94CeATF8h2NA.exe 1156 yYa94CeATF8h2NA.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe 1948 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
yYa94CeATF8h2NA.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1156 yYa94CeATF8h2NA.exe Token: SeDebugPrivilege 1948 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
yYa94CeATF8h2NA.exedescription pid process target process PID 1156 wrote to memory of 1948 1156 yYa94CeATF8h2NA.exe WerFault.exe PID 1156 wrote to memory of 1948 1156 yYa94CeATF8h2NA.exe WerFault.exe PID 1156 wrote to memory of 1948 1156 yYa94CeATF8h2NA.exe WerFault.exe PID 1156 wrote to memory of 1948 1156 yYa94CeATF8h2NA.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\yYa94CeATF8h2NA.exe"C:\Users\Admin\AppData\Local\Temp\yYa94CeATF8h2NA.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 7202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1156-55-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1156-57-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1156-58-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/1156-59-0x0000000000530000-0x0000000000536000-memory.dmpFilesize
24KB
-
memory/1156-60-0x0000000004D90000-0x0000000004DF9000-memory.dmpFilesize
420KB
-
memory/1948-61-0x0000000000000000-mapping.dmp
-
memory/1948-62-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB