Analysis Overview
SHA256
92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435
Threat Level: Known bad
The file 92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435 was found to be: Known bad.
Malicious Activity Summary
Detects Obj3ctivity Stage1
Obj3ctivity family
Obj3ctivity, PXRECVOWEIWOEI
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 18:29
Signatures
Detects Obj3ctivity Stage1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obj3ctivity family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 18:29
Reported
2024-11-20 18:31
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Detects Obj3ctivity Stage1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obj3ctivity family
Obj3ctivity, PXRECVOWEIWOEI
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2248 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2248 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2248 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe
"C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1476
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddressnow.co | udp |
| US | 104.21.71.78:443 | whatismyipaddressnow.co | tcp |
Files
memory/2248-0-0x00000000744FE000-0x00000000744FF000-memory.dmp
memory/2248-1-0x0000000000130000-0x0000000000144000-memory.dmp
memory/2248-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2248-3-0x00000000744F0000-0x0000000074BDE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 18:29
Reported
2024-11-20 18:31
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
141s
Command Line
Signatures
Detects Obj3ctivity Stage1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obj3ctivity family
Obj3ctivity, PXRECVOWEIWOEI
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe
"C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1676
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddressnow.co | udp |
| US | 104.21.71.78:443 | whatismyipaddressnow.co | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.71.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/4656-0-0x00000000751DE000-0x00000000751DF000-memory.dmp
memory/4656-1-0x0000000000200000-0x0000000000214000-memory.dmp
memory/4656-2-0x00000000751D0000-0x0000000075980000-memory.dmp
memory/4656-3-0x00000000751D0000-0x0000000075980000-memory.dmp