dd260afd3bce6512adc691321da46a4ee2d7f8ef088f55afb7f312466bec6ba4 | Triage

Analysis

max time kernel
9s
max time network
11s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-09-2021 23:02

Sharing

Report Analysis Logs

General

Target

Loader.bin.exe
Size

6KB
MD5

5c3b32ad7cdaa3c65759887a912029fd
SHA1

d2990ac50140519e1855127d28b223cf27a0a18c
SHA256

7f3e0e1b7a3ba9db2ff89575110380bc94a5b0eaadba10d264728ce6c3e31787
SHA512

9987ba947ca653090246ec6bab7029359c2fedb345065ed47e5339c55c837f353705bda3136302de3484ba35d95a21b37b2cf3d2d16e74c0887ad8cfedd5c99c

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3568 2524 WerFault.exe Loader.bin.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe
3568	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Loader.bin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2524	Loader.bin.exe
Token: SeRestorePrivilege	3568	WerFault.exe
Token: SeBackupPrivilege	3568	WerFault.exe
Token: SeDebugPrivilege	3568	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Loader.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1636
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2524-115-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2524-117-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download