2852f76a016cf31d51a7d59a77857bee6285f59c95d6bcb8cd83b83640adbb69 | Triage

Analysis

max time kernel
10s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
22-06-2021 15:20

Sharing

Report Analysis Logs

General

Target

10.exe
Size

21KB
MD5

89dec4d6bfe84c184bba66cb88e9e9b1
SHA1

9ef17ae9e70f9ce851a2460028da272d4828e270
SHA256

2852f76a016cf31d51a7d59a77857bee6285f59c95d6bcb8cd83b83640adbb69
SHA512

37f057cf49cc6e2626e6a3881898cff4d1956bfe73770f7bf35c0e2afbcd04f772eed88ea997eda74c402986d7d234f58269efe695a4a25eddfe7ded8e98a4c0

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 816 created 4012	816	WerFault.exe	23

Program crash 1 IoCs

pid	pid_target	Process	procid_target
816	4012	WerFault.exe	23

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\10.exe
"C:\Users\Admin\AppData\Local\Temp\10.exe"
1⤵
PID:4012
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4012 -s 132
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads