28b1df5f4fc3b60bc9045270f254c86624d6f85e7aa5c7322943aed04d65fefa | Triage

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
24/02/2022, 23:02

Sharing

Report Analysis Logs

General

Target

4.exe
Size

31KB
MD5

d0c228e4d8cc9a29f6073be657ebe2f2
SHA1

4d307f43584f67a0522838fcbf5824203281bf24
SHA256

28b1df5f4fc3b60bc9045270f254c86624d6f85e7aa5c7322943aed04d65fefa
SHA512

97c0a1770871b2d45ad8102c083fdac4bde9b7cfacf0955894bd53546865ac66431f8380ec72f01a545b76142dc350ec0f4cc392561a5152d351ac51da9eea63

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
780	736	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe
780	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
780	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 780	736	4.exe	27
PID 736 wrote to memory of 780	736	4.exe	27
PID 736 wrote to memory of 780	736	4.exe	27
PID 736 wrote to memory of 780	736	4.exe	27

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 48
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download
memory/780-56-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download