772f0c407388e029e98f9d885f57a0e3ef9b0f42099a16fe6367fb321d4e2444 | Triage

Analysis

max time kernel
87s
max time network
122s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-12-2021 19:07

Sharing

Report Analysis Logs

General

Target

110526d2882da3d46aa3d7023b00f41e.exe
Size

3.4MB
MD5

110526d2882da3d46aa3d7023b00f41e
SHA1

250a483cead19e65bc11d215d48289dff51241b0
SHA256

772f0c407388e029e98f9d885f57a0e3ef9b0f42099a16fe6367fb321d4e2444
SHA512

46b4bd385342adcbbf52037d8c6b68609aed852dafde949022715f40f18af30f31497f30f49cdc1d0d9cb98a569d8b93079288b0b1926414413a0c20074ad6c6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2264 3876 WerFault.exe 110526d2882da3d46aa3d7023b00f41e.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2264 WerFault.exe
Token: SeBackupPrivilege 2264 WerFault.exe
Token: SeDebugPrivilege 2264 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\110526d2882da3d46aa3d7023b00f41e.exe
"C:\Users\Admin\AppData\Local\Temp\110526d2882da3d46aa3d7023b00f41e.exe"
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 404
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3876-115-0x0000000002770000-0x00000000027D0000-memory.dmp

Filesize
384KB

Download