2a0de5a42f5d64ddd01b4f18382ba7a36a3d420abe5f2153fd4b9444ae98e53e | Triage

Analysis

max time kernel
122s
max time network
122s
platform
windows10_x64
resource
win10v20201028
submitted
18-03-2021 13:13

Sharing

Report Analysis Logs

General

Target

cd.exe
Size

572KB
MD5

46b39658da596e58315fe8914b030b24
SHA1

b91e4854936d7402dd93a59a932c44bf26252d52
SHA256

2a0de5a42f5d64ddd01b4f18382ba7a36a3d420abe5f2153fd4b9444ae98e53e
SHA512

cedb2c03cbc90882e15f59855871bc1909a7d3ebe9f10cc4d7516f0bdd1ad2fb8962f77bd1a5b98920246410918f0681fa34413d44f3561ab625fe203face32c

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1160 created 984 1160 WerFault.exe cd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1160 984 WerFault.exe cd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe
1160	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1160 WerFault.exe
Token: SeBackupPrivilege 1160 WerFault.exe
Token: SeDebugPrivilege 1160 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cd.exe
"C:\Users\Admin\AppData\Local\Temp\cd.exe"
1⤵
PID:984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 1192
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-2-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download