32ece49c018110f307142a5eff7d169e75731b059fbf81ac26f82aab4111b8c8 | Triage

Analysis

max time kernel
17s
max time network
115s
platform
windows10_x64
resource
win10v20210408
submitted
19-08-2021 12:20

Sharing

Report Analysis Logs

General

Target

scan-0001098.exe
Size

235KB
MD5

24147a6909f47667067a4598f50fdfc4
SHA1

29d9b920365fd2092e2d2f2ebac159882e80cb8c
SHA256

32ece49c018110f307142a5eff7d169e75731b059fbf81ac26f82aab4111b8c8
SHA512

e3ba24bd4fd68dee1ce7a17ece6a92e81ad3b0d9b272612562b5d5c1d101b8ce45c3193be4ffe38c808affab595a7e84eb704675efd7410b3d4513ade84494cd

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3912 856 WerFault.exe scan-0001098.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3912 WerFault.exe
Token: SeBackupPrivilege 3912 WerFault.exe
Token: SeDebugPrivilege 3912 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\scan-0001098.exe
"C:\Users\Admin\AppData\Local\Temp\scan-0001098.exe"
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 272
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...