eb0c34e4860b696a6c8ee2040aece95083f04ddfd23de520ac3b23c93867adcf | Triage

Analysis

max time kernel
56s
max time network
67s
platform
windows7_x64
resource
win7
submitted
14/07/2020, 05:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ProstoClipper-Unpack.exe
Size

2.6MB
MD5

11a5ce0096575dca82d68e0efc19e6fc
SHA1

8f3c1e6110ad43ffe318cdc714b0843b9e44a968
SHA256

eb0c34e4860b696a6c8ee2040aece95083f04ddfd23de520ac3b23c93867adcf
SHA512

e6e712ef3146a0c2d0d4f98b944cde17c79c942383678bf223f7327986f9a17251804fc8f9cceed1ea8ad2c616576e69eff6ab3dd4b8015bb427393ee27e9ba6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
304	112	WerFault.exe	23

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 304	112	ProstoClipper-Unpack.exe	24
PID 112 wrote to memory of 304	112	ProstoClipper-Unpack.exe	24
PID 112 wrote to memory of 304	112	ProstoClipper-Unpack.exe	24
PID 112 wrote to memory of 304	112	ProstoClipper-Unpack.exe	24

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	304	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ProstoClipper-Unpack.exe
"C:\Users\Admin\AppData\Local\Temp\ProstoClipper-Unpack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 740
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-2-0x0000000001FE0000-0x0000000001FF1000-memory.dmp

Filesize
68KB

Download
memory/304-5-0x0000000002570000-0x0000000002581000-memory.dmp

Filesize
68KB

Download