f6b75a5605bba229b8d426fbaf789780d46981eb71a01c80d0177f1883930482 | Triage

Analysis

max time kernel
128s
max time network
130s
platform
windows10_x64
resource
win10
submitted
19-07-2020 17:34

Sharing

Report Analysis Logs

General

Target

grabbot_0.1.5.0.vir.exe
Size

443KB
MD5

041928bb86afc5e54bac2cbe6fa082dc
SHA1

ebc2f22a30e32152b13fe0911f3b15f682d1ff8e
SHA256

f6b75a5605bba229b8d426fbaf789780d46981eb71a01c80d0177f1883930482
SHA512

f5d9a0be20b118fb14664c51c87ac8e621b46de21e5d7f6ce7e792df9ee8b3c03a3546e551f6126390475ff23613ed1e24435fdfd8df5e64a0180bfca2383cd7

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3800 3844 WerFault.exe grabbot_0.1.5.0.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3800 WerFault.exe
Token: SeBackupPrivilege 3800 WerFault.exe
Token: SeDebugPrivilege 3800 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.0.vir.exe"
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 312
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3800-0-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/3800-1-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download