fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6

General

Target

fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
Size

1023KB
MD5

77650bc339c9c420709ca447465f164b
SHA1

623362fa1b8b25eb5e072db8f873486392cb464d
SHA256

fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6
SHA512

180f90f46b2ffe746bdd554b55987624f0e5c18b381dc5a43a18362e4403a155d8c1753b6038c9792e1d0bf450995cba830f5b653508491763e9a1a99605d4bb
SSDEEP

24576:3JorhygMajIQREzeqwEhjL5a5iT/8oTZfMy4:5SrM8HCL5Rb8oSy4

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe

description	pid	process	target process
PID 2644 set thread context of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2628 2748 WerFault.exe fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe

description pid process

Token: SeDebugPrivilege 2644 fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe

pid	pid_target	process	target process
2628	2748	WerFault.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe

description	pid	process
Token: SeDebugPrivilege	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exefa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe

C:\Users\Admin\AppData\Local\Temp\fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
C:\Users\Admin\AppData\Local\Temp\fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 164
3⤵
- Program crash
PID:2628

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-8-0x0000000002060000-0x00000000020AC000-memory.dmp

Filesize
304KB

Download
memory/2644-21-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-0-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-3-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2644-4-0x0000000000460000-0x00000000004A8000-memory.dmp

Filesize
288KB

Download
memory/2644-5-0x0000000000800000-0x0000000000846000-memory.dmp

Filesize
280KB

Download
memory/2644-6-0x0000000002020000-0x0000000002054000-memory.dmp

Filesize
208KB

Download
memory/2644-7-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2644-2-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-1-0x00000000000D0000-0x00000000001D6000-memory.dmp

Filesize
1.0MB

Download
memory/2748-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2748-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2748-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2748-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2748-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2748-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2748-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2748-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

description	pid	process	target process
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2644 wrote to memory of 2748	2644	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe
PID 2748 wrote to memory of 2628	2748	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	WerFault.exe
PID 2748 wrote to memory of 2628	2748	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	WerFault.exe
PID 2748 wrote to memory of 2628	2748	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	WerFault.exe
PID 2748 wrote to memory of 2628	2748	fa7ed15708d988e7f69b5628db9481816052efea29e93f1bd274a1d76006aee6exe_JC.exe	WerFault.exe

Analysis

Sharing