fa0370ff42dc286e42ccdb8f11010d301f4e497b4e00b245a78ba78254b26d6c | Triage

Analysis

max time kernel
119s
max time network
151s
platform
windows10_x64
resource
win10-en-20210920
submitted
30-09-2021 01:43

Sharing

Report Analysis Logs

General

Target

7ff6ef240000.svchost.exe
Size

284KB
MD5

6a736aa551f569447c69adc60d6a52a9
SHA1

fc6de6d9ed272e144ae9c53e847bcd597027fecd
SHA256

fa0370ff42dc286e42ccdb8f11010d301f4e497b4e00b245a78ba78254b26d6c
SHA512

0a1ef4305adf67fbf9eadeaf0616e6e66f8a721022cc7e32278257b8ae0b10d772077df7c6b833b1ac88ee9a0c89f9f1636f2eaeaba9b164b48982a355356fda

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2352 2064 WerFault.exe 7ff6ef240000.svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2352 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7ff6ef240000.svchost.exe
"C:\Users\Admin\AppData\Local\Temp\7ff6ef240000.svchost.exe"
1⤵
PID:2064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2064 -s 288
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads