cd9f4545497982e34ff0cff1d26e4b8d4a46ff76715e815a06d5079f27117b1c | Triage

Analysis

max time kernel
24s
max time network
136s
platform
windows10_x64
resource
win10-en
submitted
08-09-2021 12:48

Sharing

Report Analysis Logs

General

Target

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
Size

898KB
MD5

cb2b4cd74c7b57a12bd822a168e4e608
SHA1

f2182062719f0537071545b77ca75f39c2922bf5
SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
SHA512

7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3856 3908 WerFault.exe 5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

NTFS ADS 1 IoCs

Processes:

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\򬁏C:\Windows\SysWOW64	5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3856 WerFault.exe
Token: SeBackupPrivilege 3856 WerFault.exe
Token: SeDebugPrivilege 3856 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe"
1⤵
- NTFS ADS
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1524
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3908-115-0x0000000000EC0000-0x0000000000EF3000-memory.dmp

Filesize
204KB

Download