Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 10:48
Static task
static1
Behavioral task
behavioral1
Sample
a3f88b358aeb96f7d3cce152c6ef88f5.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a3f88b358aeb96f7d3cce152c6ef88f5.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
a3f88b358aeb96f7d3cce152c6ef88f5.exe
-
Size
596KB
-
MD5
a3f88b358aeb96f7d3cce152c6ef88f5
-
SHA1
71f1ace1dbdfdf252a6353e137e76003ef0c1b73
-
SHA256
cabaec74ffa9d9e52b03f48c8ff2c3e87c98aa39c032c7f82385c3b11f5d0025
-
SHA512
ac8a39a6544d709c12711558ed2acbf4961e74ac791fe817c05b90c1078c68b3ce87abf79236054cebdae2fd53833faaeca213b2c7a006667123d47684f9848c
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1248 844 WerFault.exe a3f88b358aeb96f7d3cce152c6ef88f5.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1248 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1248 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1248 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a3f88b358aeb96f7d3cce152c6ef88f5.exedescription pid process target process PID 844 wrote to memory of 1248 844 a3f88b358aeb96f7d3cce152c6ef88f5.exe WerFault.exe PID 844 wrote to memory of 1248 844 a3f88b358aeb96f7d3cce152c6ef88f5.exe WerFault.exe PID 844 wrote to memory of 1248 844 a3f88b358aeb96f7d3cce152c6ef88f5.exe WerFault.exe PID 844 wrote to memory of 1248 844 a3f88b358aeb96f7d3cce152c6ef88f5.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f88b358aeb96f7d3cce152c6ef88f5.exe"C:\Users\Admin\AppData\Local\Temp\a3f88b358aeb96f7d3cce152c6ef88f5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 6642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-55-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/844-57-0x00000000758F1000-0x00000000758F3000-memory.dmpFilesize
8KB
-
memory/844-58-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB
-
memory/844-59-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/844-60-0x0000000004F30000-0x0000000004FAE000-memory.dmpFilesize
504KB
-
memory/1248-61-0x0000000000000000-mapping.dmp
-
memory/1248-62-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB