217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8 | Triage

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220331-en
submitted
12/04/2022, 08:28

Sharing

Report Analysis Logs

General

Target

209609199e47fecdd76a96dabf1f9cf5.exe
Size

372KB
MD5

209609199e47fecdd76a96dabf1f9cf5
SHA1

4ad578096b72f376bd012d3f3ba6a6cd7f162432
SHA256

217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8
SHA512

b8893d5d367afb465420e1c0671510db6b1f4603458a0bd416f5ded0f670f7ccdef37133ddf0049dccd822d6b42b0565a94f7f0530d6093d80cedc4638ae08d9

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1312	1236	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	209609199e47fecdd76a96dabf1f9cf5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1312	1236	209609199e47fecdd76a96dabf1f9cf5.exe	28
PID 1236 wrote to memory of 1312	1236	209609199e47fecdd76a96dabf1f9cf5.exe	28
PID 1236 wrote to memory of 1312	1236	209609199e47fecdd76a96dabf1f9cf5.exe	28

C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe
"C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1236 -s 1044
  2⤵
  - Program crash
  PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1236-54-0x0000000000FE0000-0x0000000001042000-memory.dmp

Filesize
392KB

Download
memory/1236-55-0x000000001B590000-0x000000001B592000-memory.dmp

Filesize
8KB

Download