8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b

Analysis

Target

8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe
Size

1.7MB
MD5

bc287b93c1590e6ff76b62f223f25828
SHA1

94a2e1a580a1e2543299a417d6c8816e9480bf4b
SHA256

8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b
SHA512

7eee027b913fdc3716a57b658de664baad62291a08d2b412d8bacfe1c11749c44bdef6be1a715c211af47a550eee9d26ab02772353d46acae0c8d40a3f122b78

Score

6^/10

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
4 api.ipify.org

flow	ioc
5	api.ipify.org
4	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

pid	process
1752	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe
1752	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1320 1752 WerFault.exe 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

description pid process

Token: SeDebugPrivilege 1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

pid process

1752 8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

pid	pid_target	process	target process
1320	1752	WerFault.exe	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

description	pid	process
Token: SeDebugPrivilege	1752	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe

description	pid	process	target process
PID 1752 wrote to memory of 1320	1752	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe	WerFault.exe
PID 1752 wrote to memory of 1320	1752	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe	WerFault.exe
PID 1752 wrote to memory of 1320	1752	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe	WerFault.exe
PID 1752 wrote to memory of 1320	1752	8163f7fba4350fc6fb99bf2fd400bac200bba40098d36d6f9d0c059631e09d7b.exe	WerFault.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1392
2⤵
- Program crash
PID:1320

memory/1320-56-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1752-55-0x0000000001020000-0x0000000001462000-memory.dmp

Filesize
4.3MB

Download