4601b57fb9acf7117686773d8616efcac498591a6b650acc9a4f96871e9694b5 | Triage

Analysis

max time kernel
128s
max time network
106s
platform
windows10_x64
resource
win10v200430
submitted
16/07/2020, 22:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe
Size

288KB
MD5

4373f1b989912d0121641f23a05b2f62
SHA1

a11deb05354e51c737b263435dcab3fd2e26e90b
SHA256

4601b57fb9acf7117686773d8616efcac498591a6b650acc9a4f96871e9694b5
SHA512

f82d8645c622c8e9c903b757c31d15de92362625113ea78f4c46f1857df166ef6e28bddece4fc157ace8306466c5906b128e215b527a2f49d92daefcf5fe4de4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	3216	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	WerFault.exe
Token: SeBackupPrivilege	2468	WerFault.exe
Token: SeDebugPrivilege	2468	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.CAP_HookExKeylogger.26449.31845.exe"
1⤵
PID:3216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 916
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download