21034ae93ae176546e6305e4fa6502a8b6d96b73a2bc399d004243c10bdc845b | Triage

Resubmissions

27-05-2020 14:40

200527-txwwm11vej 10

26-05-2020 15:35

200526-8h87qpsrz2 6

25-05-2020 13:03

200525-7xn38c1n6x 6

Analysis

max time kernel
114s
max time network
137s
platform
windows10_x64
resource
win10v200430
submitted
25-05-2020 13:03

Sharing

Report Analysis Logs

General

Target

IMMUNI.bin.exe
Size

955KB
MD5

b226803ac5a68cd86ecb7c0c6c4e9d00
SHA1

110301b5f4eced3c0d6712f023d3e0212515bf99
SHA256

7980ef30b9bed26a9823d3dd5746cdefe5d01de2b2eb2c5e17dbfd1fd52f62bf
SHA512

7a333fb668c8a7fa67715703d16cf8ed296c553fa3aab7c861337a211c605d0b20f0c760a4bfb3b72561efe342472382ecf890fd5de3e51c0022038474516e79

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2876 4012 WerFault.exe IMMUNI.bin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2876 WerFault.exe
Token: SeBackupPrivilege 2876 WerFault.exe
Token: SeDebugPrivilege 2876 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\IMMUNI.bin.exe
"C:\Users\Admin\AppData\Local\Temp\IMMUNI.bin.exe"
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1080
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-0-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download