78789e420e9860320e61c5faad19f4d7604378ca7d3de473c622dcdbe3bdc614 | Triage

Analysis

max time kernel
13s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
09-05-2021 19:30

Sharing

Report Analysis Logs

General

Target

78789e420e9860320e61c5faad19f4d7604378ca7d3de473c622dcdbe3bdc614.exe
Size

711KB
MD5

090d8bf43955fa4e317d95d81923ce80
SHA1

0ebf7d5f2775ed9e4fa5290e4385f69ad8d0bd86
SHA256

78789e420e9860320e61c5faad19f4d7604378ca7d3de473c622dcdbe3bdc614
SHA512

7d3ab8b5571e35e87edae375e5ffca8e8d05c513e6f3450c131f67e1ecf5d16fe287e801661ed1b2679e54f6cb978093493f745ee93670f8a095ce5ac5a42be9

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	1832	WerFault.exe	50

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2920	WerFault.exe
Token: SeBackupPrivilege	2920	WerFault.exe
Token: SeDebugPrivilege	2920	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\78789e420e9860320e61c5faad19f4d7604378ca7d3de473c622dcdbe3bdc614.exe
"C:\Users\Admin\AppData\Local\Temp\78789e420e9860320e61c5faad19f4d7604378ca7d3de473c622dcdbe3bdc614.exe"
1⤵
PID:1832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 540
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads