42037b4a472ddd39a76b92eb5eadddf373bfffe0d9166996ae6224a0363bc9d3 | Triage

Analysis

max time kernel
121s
max time network
119s
platform
windows10_x64
resource
win10
submitted
19-07-2020 17:37

Sharing

Report Analysis Logs

General

Target

grabbot_0.1.5.2.vir.exe
Size

340KB
MD5

d02f1ff60b9dc441a5fabf9057ba4560
SHA1

dc2ea1f7c1b6b5ea6998bcc6f0db745a5531bc43
SHA256

42037b4a472ddd39a76b92eb5eadddf373bfffe0d9166996ae6224a0363bc9d3
SHA512

4c5f049c5c69580053b7eeb970e5cc976f1f55ebc37890176480a68f6e375fdaee05a5398a1ac5a950eae93318c1a08dda16b5aa3c66364066c422e5c272fef5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2028 1756 WerFault.exe grabbot_0.1.5.2.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2028 WerFault.exe
Token: SeBackupPrivilege 2028 WerFault.exe
Token: SeDebugPrivilege 2028 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.5.2.vir.exe"
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 316
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-0-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download