664c3a7e8d4c5316a116a2c00595fb66e338012898b09d44218ae8374477fab8 | Triage

Analysis

max time kernel
116s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-09-2021 09:20

Sharing

Report Analysis Logs

General

Target

adobe1_04360000_unpacked.exe
Size

660KB
MD5

923a849bd0e4dcea6ee5c4eeabecffec
SHA1

6cbdee32471fe4909067093352e7412358c7bd80
SHA256

664c3a7e8d4c5316a116a2c00595fb66e338012898b09d44218ae8374477fab8
SHA512

61caf1852fa61378a69df1b1d7bd3684f39d3d2c28f12700f2b3481dca312cbc4c3f80787e57184b47b8e10f77ff4cac081c7b86d2e4853705c8ec4c05cd1527

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2744 2468 WerFault.exe adobe1_04360000_unpacked.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2744 WerFault.exe
Token: SeBackupPrivilege 2744 WerFault.exe
Token: SeDebugPrivilege 2744 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\adobe1_04360000_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\adobe1_04360000_unpacked.exe"
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 580
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-115-0x0000000013140000-0x000000001338A000-memory.dmp

Filesize
2.3MB

Download