f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7 | Triage

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

240703-tn93lsyglf 10

03-07-2024 16:11

240703-tm84xsyfma 10

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

Analysis

max time kernel
315s
max time network
376s
platform
windows10_x64
resource
win10v20201028
submitted
22-11-2020 06:42

Sharing

Report Analysis Logs

General

Target

[email protected]
Size

414KB
MD5

d0deb2644c9435ea701e88537787ea6e
SHA1

866e47ecd80da89c4f56557659027a3aee897132
SHA256

ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512

6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1364	3928	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe
1364	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1364	WerFault.exe
Token: SeBackupPrivilege	1364	WerFault.exe
Token: SeDebugPrivilege	1364	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 640
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-0-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/1364-1-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download