Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 23:58
Static task
static1
Behavioral task
behavioral1
Sample
fbc3f3a7f0f45884391344b59f3be525~.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fbc3f3a7f0f45884391344b59f3be525~.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
fbc3f3a7f0f45884391344b59f3be525~.exe
-
Size
685KB
-
MD5
545a4dd9df628154e366b4d6d2cd0d8a
-
SHA1
8f4119a2b2dbfbd30176fe1dac214f6cad5c4561
-
SHA256
b04bbb925d5f966d67fbfe7bbd2531e8891b1eb275ef8140006bc48d10e66171
-
SHA512
ff7fe6d0aae893226bd277c13509584f0169a8804fa85ece1de149e49d9dde379cb1d50990636a5592bbf9abf175e5d5c00344b632183c020ba16556406676f1
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fbc3f3a7f0f45884391344b59f3be525~.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Juknwfue = "C:\\Users\\Admin\\Contacts\\eufwnkuJ.url" fbc3f3a7f0f45884391344b59f3be525~.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 504 3500 WerFault.exe fbc3f3a7f0f45884391344b59f3be525~.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 504 WerFault.exe Token: SeBackupPrivilege 504 WerFault.exe Token: SeDebugPrivilege 504 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbc3f3a7f0f45884391344b59f3be525~.exe"C:\Users\Admin\AppData\Local\Temp\fbc3f3a7f0f45884391344b59f3be525~.exe"1⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 19842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken