Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
07-12-2021 10:49
Static task
static1
Behavioral task
behavioral1
Sample
040c97d88d85a6125f0d00bc5173f94a.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
040c97d88d85a6125f0d00bc5173f94a.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
040c97d88d85a6125f0d00bc5173f94a.exe
-
Size
600KB
-
MD5
040c97d88d85a6125f0d00bc5173f94a
-
SHA1
7d6f268c252f97a004f2b123aed5b8bafbf43350
-
SHA256
1a2eb9acfe8bb06d2b0e8e5124bbc123d4aeffacc0d129c7d9a2c36be3786b76
-
SHA512
5401f2e0e88db389746012d5f1041540b5f6ba1f64c09e8d945a1a41100de459c73c7a401a4ef982403a5613dd9d72ca9a4dd1cd6004fa7eb264791c2a47f0b7
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 544 1100 WerFault.exe 040c97d88d85a6125f0d00bc5173f94a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 544 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
040c97d88d85a6125f0d00bc5173f94a.exedescription pid process target process PID 1100 wrote to memory of 544 1100 040c97d88d85a6125f0d00bc5173f94a.exe WerFault.exe PID 1100 wrote to memory of 544 1100 040c97d88d85a6125f0d00bc5173f94a.exe WerFault.exe PID 1100 wrote to memory of 544 1100 040c97d88d85a6125f0d00bc5173f94a.exe WerFault.exe PID 1100 wrote to memory of 544 1100 040c97d88d85a6125f0d00bc5173f94a.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\040c97d88d85a6125f0d00bc5173f94a.exe"C:\Users\Admin\AppData\Local\Temp\040c97d88d85a6125f0d00bc5173f94a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 6642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-61-0x0000000000000000-mapping.dmp
-
memory/544-62-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1100-55-0x0000000001020000-0x0000000001021000-memory.dmpFilesize
4KB
-
memory/1100-57-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1100-58-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/1100-59-0x00000000003B0000-0x00000000003B8000-memory.dmpFilesize
32KB
-
memory/1100-60-0x0000000004FE0000-0x000000000505B000-memory.dmpFilesize
492KB