9bffea675c1c205f6b3a87de0023940564d882479b5fa89243a4aeefef603373 | Triage

Analysis

max time kernel
12s
max time network
110s
platform
windows10_x64
resource
win10v20210408
submitted
09-05-2021 19:34

Sharing

Report Analysis Logs

General

Target

9bffea675c1c205f6b3a87de0023940564d882479b5fa89243a4aeefef603373.exe
Size

711KB
MD5

79a6f1af3763bce01683124495b54243
SHA1

5a01f3e6cd5bc843c5065d42bc47032f57c14020
SHA256

9bffea675c1c205f6b3a87de0023940564d882479b5fa89243a4aeefef603373
SHA512

293cfd5dd4ded7b5ae8b9adcb6cea43244e5bb828f347b904e4cdec9b0054b4d283a100b4835578ab3e92e8a446fd74310d2d79f951c22c5fa4692dc9999f8a4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3928	472	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3928	WerFault.exe
Token: SeBackupPrivilege	3928	WerFault.exe
Token: SeDebugPrivilege	3928	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9bffea675c1c205f6b3a87de0023940564d882479b5fa89243a4aeefef603373.exe
"C:\Users\Admin\AppData\Local\Temp\9bffea675c1c205f6b3a87de0023940564d882479b5fa89243a4aeefef603373.exe"
1⤵
PID:472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 544
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads