0a779376d06a79b1b6c3ab2e2b241adf8b39db02e8180829a8f7071847f42b56 | Triage

Analysis

max time kernel
32s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 10:57

Sharing

Report Analysis Logs

General

Target

tmp.exe
Size

925KB
MD5

4470f83cba058890c43ded4a3940c3dc
SHA1

f9c2953280646715ec9ad0d034a6eae43d1fc8c4
SHA256

0a779376d06a79b1b6c3ab2e2b241adf8b39db02e8180829a8f7071847f42b56
SHA512

8e3804af84b5f8d04630283dbc8764ea8d7395af635615013bf9bc25d3290c248a24e1b6f8486960aba5569c4cce105fb9f0ff82661d5f587ae56cab18b88981

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

928 968 WerFault.exe tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 968 tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 968 wrote to memory of 928	968	tmp.exe	WerFault.exe
PID 968 wrote to memory of 928	968	tmp.exe	WerFault.exe
PID 968 wrote to memory of 928	968	tmp.exe	WerFault.exe
PID 968 wrote to memory of 928	968	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 544
2⤵
- Program crash
PID:928

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-55-0x0000000000000000-mapping.dmp

Download
memory/968-54-0x00000000002D0000-0x00000000003BE000-memory.dmp

Filesize
952KB

Download