72c019880ad2656f877ae76590ac447287c3ce5805e91097316fdc1e5b6645f2 | Triage

Analysis

max time kernel
146s
max time network
26s
platform
windows7_x64
resource
win7v200430
submitted
29-05-2020 04:11

Sharing

Report Analysis Logs

General

Target

1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe
Size

335KB
MD5

5d3007f8299a676dd4e31157dd7fc731
SHA1

1f6ae0f347e101a1c4244177efc8ba7459630d7f
SHA256

72c019880ad2656f877ae76590ac447287c3ce5805e91097316fdc1e5b6645f2
SHA512

76a74ae3d0eb5a2471b89b42c58b6b6b05c5753f2a96e9980605cd6c74c747c9d3d613ed82e213ca6ff411c6d23a4be6e52aa9b5270e244ab4d16ef94ba7c2ec

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1696 1008 WerFault.exe 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe

description	pid	process	target process
PID 1008 wrote to memory of 1696	1008	1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe	WerFault.exe
PID 1008 wrote to memory of 1696	1008	1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe	WerFault.exe
PID 1008 wrote to memory of 1696	1008	1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe	WerFault.exe
PID 1008 wrote to memory of 1696	1008	1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1696 WerFault.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

1f6ae0f347e101a1c4244177efc8ba7459630d7f.exeWerFault.exe

pid process

1008 1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe
1696 WerFault.exe
1696 WerFault.exe
1696 WerFault.exe
1696 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe
"C:\Users\Admin\AppData\Local\Temp\1f6ae0f347e101a1c4244177efc8ba7459630d7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 188
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-0-0x000000000044E000-0x00000000004B0000-memory.dmp

Filesize
392KB

Download
memory/1696-1-0x0000000002030000-0x0000000002041000-memory.dmp

Filesize
68KB

Download
memory/1696-2-0x0000000002570000-0x0000000002581000-memory.dmp

Filesize
68KB

Download