c01657ae6e2f1fd94f247fbfc7dee9c701db142db2a3813c93ede6c633dd8029

Analysis

Target

Sample_5a2ea1b1c301d804e6dd924f.bin.exe
Size

81KB
MD5

645d25f0d9f89b7b8a48b078e84501b7
SHA1

7ffd6f6416e103591ff6ead7532843afd698e103
SHA256

c01657ae6e2f1fd94f247fbfc7dee9c701db142db2a3813c93ede6c633dd8029
SHA512

5334a34422ce4bb42332337d33e3193c2313907df2e265607fe25d9b7a0fc78dc252173494cb17347bbe499993bda7ff872912ba88ef693a13e5aaae7e1943ac

Score

10^/10

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2252 created 3384	2252	WerFault.exe	67

Program crash 2 IoCs

pid	pid_target	Process	procid_target
376	3384	WerFault.exe	67
2252	3384	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 25 IoCs

Suspicious use of AdjustPrivilegeToken 4 IoCs

C:\Users\Admin\AppData\Local\Temp\Sample_5a2ea1b1c301d804e6dd924f.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Sample_5a2ea1b1c301d804e6dd924f.bin.exe"
1⤵
PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1280
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1192
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

memory/3384-115-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3384-117-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3384-118-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3384-119-0x0000000004F40000-0x000000000543E000-memory.dmp

Filesize
5.0MB

Download
memory/3384-120-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3384-121-0x0000000008D40000-0x0000000008D41000-memory.dmp

Filesize
4KB

Download