21034ae93ae176546e6305e4fa6502a8b6d96b73a2bc399d004243c10bdc845b | Triage

Resubmissions

27/05/2020, 14:40

200527-txwwm11vej 10

26/05/2020, 15:35

200526-8h87qpsrz2 6

25/05/2020, 13:03

200525-7xn38c1n6x 6

Analysis

max time kernel
114s
max time network
137s
platform
windows10_x64
resource
win10v200430
submitted
25/05/2020, 13:03

Sharing

Report Analysis Logs

General

Target

IMMUNI.bin.exe
Size

955KB
MD5

b226803ac5a68cd86ecb7c0c6c4e9d00
SHA1

110301b5f4eced3c0d6712f023d3e0212515bf99
SHA256

7980ef30b9bed26a9823d3dd5746cdefe5d01de2b2eb2c5e17dbfd1fd52f62bf
SHA512

7a333fb668c8a7fa67715703d16cf8ed296c553fa3aab7c861337a211c605d0b20f0c760a4bfb3b72561efe342472382ecf890fd5de3e51c0022038474516e79

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2876	4012	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2876	WerFault.exe
Token: SeBackupPrivilege	2876	WerFault.exe
Token: SeDebugPrivilege	2876	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\IMMUNI.bin.exe
"C:\Users\Admin\AppData\Local\Temp\IMMUNI.bin.exe"
1⤵
PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1080
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-0-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download