ae1f419bb8e91810ef9a98c3b5dfdf876b25a9ece8799df4fa75c23fcd3475c3 | Triage

Analysis

max time kernel
13s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:42

Sharing

Report Analysis Logs

General

Target

ae1f419bb8e91810ef9a98c3b5dfdf876b25a9ece8799df4fa75c23fcd3475c3.sample.exe
Size

57KB
MD5

1cccdbec21fd05b4500cc78319dffe74
SHA1

af272e1d49b05937a1bd393f8e1b484415af0ab6
SHA256

ae1f419bb8e91810ef9a98c3b5dfdf876b25a9ece8799df4fa75c23fcd3475c3
SHA512

f404c83a44bf47f028eb7a4abf8e0cd79fad3d4e8f5b353353e0bbc2027f7923eb425d66c51e67d78cf27dbac2a77f44abfa640abece95080bd30b50fbfb7bef

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1748 3368 WerFault.exe ae1f419bb8e91810ef9a98c3b5dfdf876b25a9ece8799df4fa75c23fcd3475c3.sample.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1748 WerFault.exe
Token: SeBackupPrivilege 1748 WerFault.exe
Token: SeDebugPrivilege 1748 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ae1f419bb8e91810ef9a98c3b5dfdf876b25a9ece8799df4fa75c23fcd3475c3.sample.exe
"C:\Users\Admin\AppData\Local\Temp\ae1f419bb8e91810ef9a98c3b5dfdf876b25a9ece8799df4fa75c23fcd3475c3.sample.exe"
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 520
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3368-114-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download