790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198

General

Target

790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
Size

570KB
MD5

9bb98f2989a73a1e3d8d490669462422
SHA1

480b65fe568acd420dacd4b935529f2505e94151
SHA256

790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198
SHA512

f84fe96c065c214d3ae623d81da9e0aacc0fdfb3751baa02505b4348d89e6c4a6d29703e579aef5f48ddbb1956c154e228b2337657b135b0a973cc9907e1651e
SSDEEP

12288:MTQp8eHRevUGXTYJ0M8SbYrAwhLtaczsQc0TwmqyAAJtT:cc82RGFj80pwY5aczXTNqyz

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe

description	pid	process	target process
PID 1456 set thread context of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2960 2676 WerFault.exe 790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe

description pid process

Token: SeDebugPrivilege 1456 790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe

pid	pid_target	process	target process
2960	2676	WerFault.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe

description	pid	process
Token: SeDebugPrivilege	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe

C:\Users\Admin\AppData\Local\Temp\790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
"C:\Users\Admin\AppData\Local\Temp\790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
C:\Users\Admin\AppData\Local\Temp\790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 164
3⤵
- Program crash
PID:2960

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-0-0x0000000001140000-0x00000000011D4000-memory.dmp

Filesize
592KB

Download
memory/1456-1-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-2-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/1456-3-0x00000000005B0000-0x00000000005FA000-memory.dmp

Filesize
296KB

Download
memory/1456-4-0x0000000000B40000-0x0000000000B86000-memory.dmp

Filesize
280KB

Download
memory/1456-5-0x0000000000B80000-0x0000000000BB4000-memory.dmp

Filesize
208KB

Download
memory/1456-6-0x0000000000D10000-0x0000000000D5C000-memory.dmp

Filesize
304KB

Download
memory/1456-18-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

description	pid	process	target process
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 1456 wrote to memory of 2676	1456	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe
PID 2676 wrote to memory of 2960	2676	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	WerFault.exe
PID 2676 wrote to memory of 2960	2676	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	WerFault.exe
PID 2676 wrote to memory of 2960	2676	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	WerFault.exe
PID 2676 wrote to memory of 2960	2676	790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198_JC.exe	WerFault.exe

Analysis

Sharing