a5a2b6bfba012554d3c7e01c9df1173f995639caf31fdde8693e30ef501d26d7 | Triage

Analysis

max time kernel
11s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
22-06-2021 14:07

Sharing

Report Analysis Logs

General

Target

9.exe
Size

21KB
MD5

6e4d7e63e05ef919d2b8724fbc3f3eeb
SHA1

97730b10da62c23ee6554625f5c24bf262aae261
SHA256

a5a2b6bfba012554d3c7e01c9df1173f995639caf31fdde8693e30ef501d26d7
SHA512

641c16245535d0e7eff19063830f8b8448d51fdefd6384a615495709b203c1522603292140b951cd220d1cd22e0f414f5c0e156633b2eb69f8ecf7fde8cdef86

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3908 created 3968	3908	WerFault.exe	22

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3908	3968	WerFault.exe	22

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe
3908	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9.exe
"C:\Users\Admin\AppData\Local\Temp\9.exe"
1⤵
PID:3968
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3968 -s 132
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads