5301e5deb37674296e48d5873862ce32f934fbdfe1a7919f97bddb1138957e35 | Triage

Analysis

max time kernel
12s
max time network
126s
platform
windows10_x64
resource
win10v20210410
submitted
22-06-2021 14:06

Sharing

Report Analysis Logs

General

Target

4.exe
Size

21KB
MD5

191889cccd8827cb28b5cf9c3a559366
SHA1

c1a6bc0e5d66524eaefa935e9d1dca0c9223bead
SHA256

5301e5deb37674296e48d5873862ce32f934fbdfe1a7919f97bddb1138957e35
SHA512

6d3af286eaa1c3051a739edeaa5f5684f31ff0575082bcd1c2155acfa82657b06b70d7aefc55be3dc1f0877cd4ca77b13f9e53720f5123339bf85eb36bfdfcdf

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1172 created 3944	1172	WerFault.exe	65

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1172	3944	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
1⤵
PID:3944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3944 -s 132
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads