eb0c34e4860b696a6c8ee2040aece95083f04ddfd23de520ac3b23c93867adcf | Triage

Analysis

max time kernel
123s
max time network
146s
platform
windows10_x64
resource
win10v200430
submitted
14/07/2020, 05:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ProstoClipper-Unpack.exe
Size

2.6MB
MD5

11a5ce0096575dca82d68e0efc19e6fc
SHA1

8f3c1e6110ad43ffe318cdc714b0843b9e44a968
SHA256

eb0c34e4860b696a6c8ee2040aece95083f04ddfd23de520ac3b23c93867adcf
SHA512

e6e712ef3146a0c2d0d4f98b944cde17c79c942383678bf223f7327986f9a17251804fc8f9cceed1ea8ad2c616576e69eff6ab3dd4b8015bb427393ee27e9ba6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	3812	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1584	WerFault.exe
Token: SeBackupPrivilege	1584	WerFault.exe
Token: SeDebugPrivilege	1584	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ProstoClipper-Unpack.exe
"C:\Users\Admin\AppData\Local\Temp\ProstoClipper-Unpack.exe"
1⤵
PID:3812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1168
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-0-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1584-1-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1584-4-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download