eebc9333049be75082af1cb0c8ecb798bcbea50e4b0208fa97a96c71aa68dc62 | Triage

Analysis

max time kernel
39s
max time network
41s
platform
windows7_x64
resource
win7
submitted
25-10-2020 17:26

Sharing

Report Analysis Logs

General

Target

879b24b80b987f27f051d4097a5bb6a2.exe
Size

400KB
MD5

879b24b80b987f27f051d4097a5bb6a2
SHA1

c792ff6eb7b1338cf46607b40bc15664134f159a
SHA256

eebc9333049be75082af1cb0c8ecb798bcbea50e4b0208fa97a96c71aa68dc62
SHA512

746814b746e4643840c44e928c0516ff8189cef22c791acdc329a4d7414b469fcb05505e555ea0bf09a1087840dc66df1065220b576fb0d7dd9e026936676959

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

600 820 WerFault.exe 879b24b80b987f27f051d4097a5bb6a2.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

600 WerFault.exe
600 WerFault.exe
600 WerFault.exe
600 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 600 WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

879b24b80b987f27f051d4097a5bb6a2.exe

description	pid	process	target process
PID 820 wrote to memory of 600	820	879b24b80b987f27f051d4097a5bb6a2.exe	WerFault.exe
PID 820 wrote to memory of 600	820	879b24b80b987f27f051d4097a5bb6a2.exe	WerFault.exe
PID 820 wrote to memory of 600	820	879b24b80b987f27f051d4097a5bb6a2.exe	WerFault.exe
PID 820 wrote to memory of 600	820	879b24b80b987f27f051d4097a5bb6a2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\879b24b80b987f27f051d4097a5bb6a2.exe
"C:\Users\Admin\AppData\Local\Temp\879b24b80b987f27f051d4097a5bb6a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 36
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-0-0x0000000000000000-mapping.dmp

Download
memory/600-1-0x0000000001DD0000-0x0000000001DE1000-memory.dmp

Filesize
68KB

Download
memory/600-2-0x00000000024C0000-0x00000000024D1000-memory.dmp

Filesize
68KB

Download