3504fe4b0e2d093c366cffa43ceb37026d7a5f8e35498aa7945556c77ecce731 | Triage

Analysis

max time kernel
67s
max time network
45s
platform
windows7_x64
resource
win7v20210408
submitted
13-07-2021 13:01

Sharing

Report Analysis Logs

General

Target

495edc6456f3c1d7dcdf839ec8a1fc70.exe
Size

935KB
MD5

495edc6456f3c1d7dcdf839ec8a1fc70
SHA1

fe30c475e506a76be7ea15c4f529938062718276
SHA256

3504fe4b0e2d093c366cffa43ceb37026d7a5f8e35498aa7945556c77ecce731
SHA512

b2122cd4b6a1b1f46f8e3b970ccd786ca6a07a554772a7ddebab9d7dc42ea7a12288debdccc3ec5af63fd6d707b3e804e3e13cfd2d4fbe7e2aec11abea4e1b1a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1072	2004	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1072	2004	495edc6456f3c1d7dcdf839ec8a1fc70.exe	29
PID 2004 wrote to memory of 1072	2004	495edc6456f3c1d7dcdf839ec8a1fc70.exe	29
PID 2004 wrote to memory of 1072	2004	495edc6456f3c1d7dcdf839ec8a1fc70.exe	29
PID 2004 wrote to memory of 1072	2004	495edc6456f3c1d7dcdf839ec8a1fc70.exe	29

C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe
"C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 628
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-64-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2004-59-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2004-61-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/2004-62-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download