Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-01-2022 19:41
Static task
static1
Behavioral task
behavioral1
Sample
59f5aa2f3938d9478d3275caaa5eda91.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
59f5aa2f3938d9478d3275caaa5eda91.exe
-
Size
271KB
-
MD5
59f5aa2f3938d9478d3275caaa5eda91
-
SHA1
87fddce9bdff61168e35c09c09e04378137cfabc
-
SHA256
2bbe399540ca6bbcb26444284ed0cf85c0840a1d36c8bf3ca670be78a4975410
-
SHA512
bb9282b6f89a5d887d84bedf9a782a5c774158aa670a17bf0d532dbaf0f9b0e3f57d7ca1bc14c9de0f46de27b08fef7bd172f018fdc9108d395859f2edb8243e
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 756 1508 WerFault.exe 59f5aa2f3938d9478d3275caaa5eda91.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 756 WerFault.exe 756 WerFault.exe 756 WerFault.exe 756 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 756 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
59f5aa2f3938d9478d3275caaa5eda91.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1508 59f5aa2f3938d9478d3275caaa5eda91.exe Token: SeDebugPrivilege 756 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
59f5aa2f3938d9478d3275caaa5eda91.exedescription pid process target process PID 1508 wrote to memory of 756 1508 59f5aa2f3938d9478d3275caaa5eda91.exe WerFault.exe PID 1508 wrote to memory of 756 1508 59f5aa2f3938d9478d3275caaa5eda91.exe WerFault.exe PID 1508 wrote to memory of 756 1508 59f5aa2f3938d9478d3275caaa5eda91.exe WerFault.exe PID 1508 wrote to memory of 756 1508 59f5aa2f3938d9478d3275caaa5eda91.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59f5aa2f3938d9478d3275caaa5eda91.exe"C:\Users\Admin\AppData\Local\Temp\59f5aa2f3938d9478d3275caaa5eda91.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 11522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-58-0x0000000000000000-mapping.dmp
-
memory/756-59-0x00000000002F0000-0x0000000000350000-memory.dmpFilesize
384KB
-
memory/1508-54-0x0000000000160000-0x00000000001AA000-memory.dmpFilesize
296KB
-
memory/1508-55-0x0000000000160000-0x00000000001AA000-memory.dmpFilesize
296KB
-
memory/1508-56-0x0000000076911000-0x0000000076913000-memory.dmpFilesize
8KB
-
memory/1508-57-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB