ea6e111c255db8015bfd19ccb6806941c2fd03157b450887a7ea8ccc2580c47c | Triage

Analysis

max time kernel
62s
max time network
122s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-01-2022 09:24

Sharing

Report Analysis Logs

General

Target

1.exe
Size

184KB
MD5

f44612558b731b168cd0d71462fed53e
SHA1

8113d350835eeb13ba52907fdd7e95c85eb4e34e
SHA256

ea6e111c255db8015bfd19ccb6806941c2fd03157b450887a7ea8ccc2580c47c
SHA512

82277b5746aaa19722675dcabcefece89ba993d49a0faac961ab425d7094c1f24ab16a8fc3da110200482a11ab83036c20f70b65cfe97c82a311ae8354b6584e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1952 2728 WerFault.exe 1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1952 WerFault.exe
Token: SeBackupPrivilege 1952 WerFault.exe
Token: SeDebugPrivilege 1952 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 264
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...