Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe
Resource
win7-en-20211104
0 signatures
0 seconds
General
-
Target
e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe
-
Size
328KB
-
MD5
0ec7a7caabaf3d8e300227a90a599cb0
-
SHA1
e56471a4d2ef8dc6e5bcee5c48c7b638dfa3b8ac
-
SHA256
e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6
-
SHA512
9fca99b3c85f6ccaa11fd3de8f191db7af844f36194074c693e89338ede4f2cefd9f4904bc63ea1af1b6b10aad1630d85e144a0cdb08406dc9c60d7dd268c775
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1476 572 WerFault.exe e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exeWerFault.exepid process 572 e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exeWerFault.exedescription pid process Token: SeDebugPrivilege 572 e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe Token: SeDebugPrivilege 1476 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exedescription pid process target process PID 572 wrote to memory of 1476 572 e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe WerFault.exe PID 572 wrote to memory of 1476 572 e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe WerFault.exe PID 572 wrote to memory of 1476 572 e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe WerFault.exe PID 572 wrote to memory of 1476 572 e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe"C:\Users\Admin\AppData\Local\Temp\e7177244e16656b6f747d201f85084411e6553e5763abc35146b43669e402dc6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 7042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-55-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/572-57-0x0000000075461000-0x0000000075463000-memory.dmpFilesize
8KB
-
memory/572-58-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB
-
memory/572-59-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/572-60-0x0000000002160000-0x00000000021A3000-memory.dmpFilesize
268KB
-
memory/1476-61-0x0000000000000000-mapping.dmp
-
memory/1476-62-0x0000000000210000-0x0000000000268000-memory.dmpFilesize
352KB