3f06e0fa1a8d27d1d1f9d82462acc41b757e1a82b34d5d8e0354f024262a6fc9 | Triage

Analysis

max time kernel
11s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
22-06-2021 14:07

Sharing

Report Analysis Logs

General

Target

8.exe
Size

21KB
MD5

4a30853a3699ae354d8a238558ed59dd
SHA1

9494865a139853498338b0dc505bd36cc59b6bae
SHA256

3f06e0fa1a8d27d1d1f9d82462acc41b757e1a82b34d5d8e0354f024262a6fc9
SHA512

09bc363d9d62700cf5a7066121e4359f000a6affc8aa04fb642dff8963d0b42f2cc2b02787b1529b2fdcea2d1332a353337199ff364a19cac1504e7ed18d706d

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1092 created 2752	1092	WerFault.exe	61

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	2752	WerFault.exe	61

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
1⤵
PID:2752
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2752 -s 132
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads