6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac | Triage

Analysis

max time kernel
16s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
26-06-2021 12:03

Sharing

Report Analysis Logs

General

Target

6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac.exe
Size

124KB
MD5

d337ce3673027b5ada079afeade07a67
SHA1

2e1df897475fb1877a4121e488071df3522b5368
SHA256

6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac
SHA512

03850b843be4655fb45b63693a8d94ee950666fca9b3567cbc380189956b305fd78a706db4ef5efa0d7ea575074d0f60a49ca122fd809ee2001cffc4f050f4b3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3152 632 WerFault.exe 6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3152 WerFault.exe
Token: SeBackupPrivilege 3152 WerFault.exe
Token: SeDebugPrivilege 3152 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac.exe
"C:\Users\Admin\AppData\Local\Temp\6daa33fa17b113a10a797fe9fc170e11170549c2ca5eb609f0f9d9f64283abac.exe"
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 252
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...