Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
03-12-2021 12:19
Static task
static1
Behavioral task
behavioral1
Sample
7e3b08163812d6a9ff4e279058f603e5.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7e3b08163812d6a9ff4e279058f603e5.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
7e3b08163812d6a9ff4e279058f603e5.exe
-
Size
388KB
-
MD5
7e3b08163812d6a9ff4e279058f603e5
-
SHA1
29a1e69c99fadc447a6958c24e45c71127e88d6b
-
SHA256
a6a4c5aaefa51d2f614a6f21e83b64d63e29fb868c8d410dacf317ad220f774a
-
SHA512
7682105ae32834638f77c1c3282bdc3eefc42d922843d12aa346f4c9b2d68269764677b29444953bbff8a9245d2c14416817e879550b170a1921d14366af492b
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1372 1412 WerFault.exe 7e3b08163812d6a9ff4e279058f603e5.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1372 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1372 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exedescription pid process target process PID 1412 wrote to memory of 1372 1412 7e3b08163812d6a9ff4e279058f603e5.exe WerFault.exe PID 1412 wrote to memory of 1372 1412 7e3b08163812d6a9ff4e279058f603e5.exe WerFault.exe PID 1412 wrote to memory of 1372 1412 7e3b08163812d6a9ff4e279058f603e5.exe WerFault.exe PID 1412 wrote to memory of 1372 1412 7e3b08163812d6a9ff4e279058f603e5.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 6682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1372-61-0x0000000000000000-mapping.dmp
-
memory/1372-62-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/1412-55-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/1412-57-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/1412-58-0x00000000003E0000-0x00000000003E8000-memory.dmpFilesize
32KB
-
memory/1412-59-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/1412-60-0x0000000005110000-0x000000000515B000-memory.dmpFilesize
300KB