34e2cdf4a8564443aaccb8a7b831c82eb84d87879102ad899f954ba920c9033d | Triage

Analysis

max time kernel
19s
max time network
21s
platform
windows10_x64
resource
win10v20210408
submitted
26-09-2021 23:05

Sharing

Report Analysis Logs

General

Target

Loader.bin.exe
Size

6KB
MD5

9f317ae12d77a9accab49a12194a5add
SHA1

45d670064f58c0e48bbb686b27e92750cc78e364
SHA256

751c54e9d2d82b10853e9f3ffcaf93694929b21529df44afc9367b11f63d00b5
SHA512

ce77b39ef18c4489a76c302e32938505b7140df1c9d48a32db339d3d24f75584d09415c0ed645713354734a719fe4163c825ec66541eb950bdb8e5b79c8f0009

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3968 652 WerFault.exe Loader.bin.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Loader.bin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	652	Loader.bin.exe
Token: SeRestorePrivilege	3968	WerFault.exe
Token: SeBackupPrivilege	3968	WerFault.exe
Token: SeDebugPrivilege	3968	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Loader.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 1324
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-114-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download