e4c55dc882cf54a79a44eb8f4170e78dd9cc659d279419d8205382fd51724bf0 | Triage

Analysis

max time kernel
147s
max time network
183s
platform
windows10_x64
resource
win10-en-20211208
submitted
22-01-2022 00:35

Sharing

Report Analysis Logs

General

Target

e4c55dc882cf54a79a44eb8f4170e78dd9cc659d279419d8205382fd51724bf0.exe
Size

224KB
MD5

07373b24d644d8d5a69836738404a555
SHA1

10eadfbfafe5d3b0ee9cfcca062192be56b447a1
SHA256

e4c55dc882cf54a79a44eb8f4170e78dd9cc659d279419d8205382fd51724bf0
SHA512

9d220bed270853c1f0cde5384ece111908130f052bf7b5879c03fd129a11e1aaab5f49e5e867d141ea4bb7b72d353554a1c86a8b985bc7cf671af289a58dfae2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1344 3608 WerFault.exe e4c55dc882cf54a79a44eb8f4170e78dd9cc659d279419d8205382fd51724bf0.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1344 WerFault.exe
Token: SeBackupPrivilege 1344 WerFault.exe
Token: SeDebugPrivilege 1344 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e4c55dc882cf54a79a44eb8f4170e78dd9cc659d279419d8205382fd51724bf0.exe
"C:\Users\Admin\AppData\Local\Temp\e4c55dc882cf54a79a44eb8f4170e78dd9cc659d279419d8205382fd51724bf0.exe"
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 368
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3608-115-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download