59f5aa2f3938d9478d3275caaa5eda91.exe

General
Target

59f5aa2f3938d9478d3275caaa5eda91.exe

Filesize

271KB

Completed

05-01-2022 19:43

Score
3/10
MD5

59f5aa2f3938d9478d3275caaa5eda91

SHA1

87fddce9bdff61168e35c09c09e04378137cfabc

SHA256

2bbe399540ca6bbcb26444284ed0cf85c0840a1d36c8bf3ca670be78a4975410

Malware Config
Signatures 5

Filter: none

  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    7561508WerFault.exe59f5aa2f3938d9478d3275caaa5eda91.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    756WerFault.exe
    756WerFault.exe
    756WerFault.exe
    756WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    756WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    59f5aa2f3938d9478d3275caaa5eda91.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege150859f5aa2f3938d9478d3275caaa5eda91.exe
    Token: SeDebugPrivilege756WerFault.exe
  • Suspicious use of WriteProcessMemory
    59f5aa2f3938d9478d3275caaa5eda91.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1508 wrote to memory of 756150859f5aa2f3938d9478d3275caaa5eda91.exeWerFault.exe
    PID 1508 wrote to memory of 756150859f5aa2f3938d9478d3275caaa5eda91.exeWerFault.exe
    PID 1508 wrote to memory of 756150859f5aa2f3938d9478d3275caaa5eda91.exeWerFault.exe
    PID 1508 wrote to memory of 756150859f5aa2f3938d9478d3275caaa5eda91.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\59f5aa2f3938d9478d3275caaa5eda91.exe
    "C:\Users\Admin\AppData\Local\Temp\59f5aa2f3938d9478d3275caaa5eda91.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1152
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:756
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/756-58-0x0000000000000000-mapping.dmp

                          • memory/756-59-0x00000000002F0000-0x0000000000350000-memory.dmp

                          • memory/1508-54-0x0000000000160000-0x00000000001AA000-memory.dmp

                          • memory/1508-55-0x0000000000160000-0x00000000001AA000-memory.dmp

                          • memory/1508-56-0x0000000076911000-0x0000000076913000-memory.dmp

                          • memory/1508-57-0x0000000004D90000-0x0000000004D91000-memory.dmp