2cf60c433df3dcc84b80e18c93e578bf18b31c5c49777953702c53166275796b | Triage

Analysis

max time kernel
14s
max time network
120s
platform
windows10_x64
resource
win10v20210408
submitted
22-06-2021 14:06

Sharing

Report Analysis Logs

General

Target

2.exe
Size

21KB
MD5

2953b6ec692537f8eace1077081f9e43
SHA1

6db28862c0dbb589b918f812ff61cfdac0248eab
SHA256

2cf60c433df3dcc84b80e18c93e578bf18b31c5c49777953702c53166275796b
SHA512

11959d3841c3824e5d4c68771f67db6227423d99f5beb6559c165081b6300fb3553633ce871157bd972845730fcc9e1201c10507f114d7458b3940c8cdf0ca85

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2656 created 632	2656	WerFault.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	632	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
PID:632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 632 -s 68
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads