6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac | Triage

Analysis

max time kernel
16s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
26/06/2021, 12:03

Sharing

Report Analysis Logs

General

Target

6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac.exe
Size

124KB
MD5

d337ce3673027b5ada079afeade07a67
SHA1

2e1df897475fb1877a4121e488071df3522b5368
SHA256

6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac
SHA512

03850b843be4655fb45b63693a8d94ee950666fca9b3567cbc380189956b305fd78a706db4ef5efa0d7ea575074d0f60a49ca122fd809ee2001cffc4f050f4b3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3152	632	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3152	WerFault.exe
Token: SeBackupPrivilege	3152	WerFault.exe
Token: SeDebugPrivilege	3152	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac.exe
"C:\Users\Admin\AppData\Local\Temp\6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac.exe"
1⤵
PID:632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 252
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads