b7a6d7f4d15e42eb71836dc7372f48654462c7752d015513232346f0af92f81e | Triage

Analysis

max time kernel
126s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
13-12-2021 20:19

Sharing

Report Analysis Logs

General

Target

bd8a1ba3556221c105087262321114d1.exe
Size

862KB
MD5

bd8a1ba3556221c105087262321114d1
SHA1

ef49cd974cf09508d3b86c9fdc48ce33f1a5aeed
SHA256

b7a6d7f4d15e42eb71836dc7372f48654462c7752d015513232346f0af92f81e
SHA512

f7683f4d055cca2ca3907fb227c6b03382a19f692b79324a05df5bf4a89240612e2727e1934e9ac898d4fa508220f339de2c3608f8b1124c3b792996f3aef8e6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1532 3488 WerFault.exe bd8a1ba3556221c105087262321114d1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1532 WerFault.exe
Token: SeBackupPrivilege 1532 WerFault.exe
Token: SeDebugPrivilege 1532 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bd8a1ba3556221c105087262321114d1.exe
"C:\Users\Admin\AppData\Local\Temp\bd8a1ba3556221c105087262321114d1.exe"
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1904
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3488-119-0x00000000005F0000-0x000000000073A000-memory.dmp

Filesize
1.3MB

Download