d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7

General

Target

d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
Size

312KB
MD5

9824d07cea51069c0042eff0e46d1ad2
SHA1

70ef130a8f88076dc671ab9873b2a3a3c45818fc
SHA256

d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7
SHA512

6d38269e1c93c7e8bd6668cd26947cb821043c9bcbcb19d586795e0fb3d52b8a492e3817eef912bae165973c001c205fd879bbca9810339e6b45bda1651e3bb9
SSDEEP

6144:XAo4v3KmeRDWs0cSsm42PWB1vEtf8h81dZgjvxbtIGnWSPgYYshfnmU3H1l5Fy4:XGimeAs0cuvuB14I9JWfWnNl

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe

description	pid	process	target process
PID 2772 set thread context of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2500 2756 WerFault.exe d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe

description pid process

Token: SeDebugPrivilege 2772 d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe

pid	pid_target	process	target process
2500	2756	WerFault.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe

description	pid	process
Token: SeDebugPrivilege	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exed7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe

C:\Users\Admin\AppData\Local\Temp\d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
"C:\Users\Admin\AppData\Local\Temp\d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
C:\Users\Admin\AppData\Local\Temp\d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 164
3⤵
- Program crash
PID:2500

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-6-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2772-4-0x0000000000EA0000-0x0000000000ED4000-memory.dmp

Filesize
208KB

Download
memory/2772-1-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-5-0x0000000000FE0000-0x000000000102C000-memory.dmp

Filesize
304KB

Download
memory/2772-0-0x00000000010B0000-0x0000000001104000-memory.dmp

Filesize
336KB

Download
memory/2772-3-0x0000000001050000-0x0000000001090000-memory.dmp

Filesize
256KB

Download
memory/2772-2-0x0000000000E60000-0x0000000000EA6000-memory.dmp

Filesize
280KB

Download
memory/2772-19-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2772 wrote to memory of 2756	2772	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe
PID 2756 wrote to memory of 2500	2756	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	WerFault.exe
PID 2756 wrote to memory of 2500	2756	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	WerFault.exe
PID 2756 wrote to memory of 2500	2756	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	WerFault.exe
PID 2756 wrote to memory of 2500	2756	d7cb8a2d60e1818d0638a4c38cd6fae475dc83ab7b2bde9827ecc4e4a7ce6ed7.exe	WerFault.exe

Analysis

Sharing