0a89eaba131bd382f2f0fd1d4ad31800366e61d57a88d2ec0c07ab9c0eb4eff1 | Triage

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
05-03-2022 07:15

Sharing

Report Analysis Logs

General

Target

Viruses/b.exe
Size

131KB
MD5

728eca0c2c3030179d8546a15ac62c2e
SHA1

2b7e40cf217e53de3d5b3022f99b773afc02c880
SHA256

10ea5ac09ec72101c6f8656f3f08f6f9495f8b43849f27928efd6485cee04913
SHA512

f69873c73fa9354cf7dd3e9564feb1f2fef1151583977c03f4491155f14fe6d142d0f7e2e3477b75a862f62e5f0cc099f69a72f04081b4f591567857fa569e31

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2488 created 1588	2488	svchost.exe	78

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3640	3632	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	2488	svchost.exe
Token: SeTcbPrivilege	2488	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Viruses\b.exe
"C:\Users\Admin\AppData\Local\Temp\Viruses\b.exe"
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 3632 -ip 3632
1⤵
PID:4012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3632 -s 1824
1⤵
- Program crash
PID:3640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads