664c3a7e8d4c5316a116a2c00595fb66e338012898b09d44218ae8374477fab8 | Triage

Analysis

max time kernel
116s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-09-2021 09:20

Sharing

Report Analysis Logs

General

Target

adobe1_04360000_unpacked.exe
Size

660KB
MD5

923a849bd0e4dcea6ee5c4eeabecffec
SHA1

6cbdee32471fe4909067093352e7412358c7bd80
SHA256

664c3a7e8d4c5316a116a2c00595fb66e338012898b09d44218ae8374477fab8
SHA512

61caf1852fa61378a69df1b1d7bd3684f39d3d2c28f12700f2b3481dca312cbc4c3f80787e57184b47b8e10f77ff4cac081c7b86d2e4853705c8ec4c05cd1527

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2468	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2744	WerFault.exe
Token: SeBackupPrivilege	2744	WerFault.exe
Token: SeDebugPrivilege	2744	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\adobe1_04360000_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\adobe1_04360000_unpacked.exe"
1⤵
PID:2468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 580
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-115-0x0000000013140000-0x000000001338A000-memory.dmp

Filesize
2.3MB

Download