27cd376e2cadfbc6a07f01b0168e20ba22ea6d181d510c7316b758f85c72442a | Triage

Analysis

max time kernel
44s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-06-2022 11:36

Sharing

Report Analysis Logs

General

Target

REVISED OT STATMENT.exe
Size

23KB
MD5

72fa05be3392be5638758ee698836ffb
SHA1

e7e9a38bba03ba858083eea322271016afeee1dd
SHA256

27cd376e2cadfbc6a07f01b0168e20ba22ea6d181d510c7316b758f85c72442a
SHA512

82c3bd81ff254ec228751d69634bc19e3e5209b454fe44b3a1075065ef73b3962fdcfeff06d57733b153ad5572bb999fe025f7e84bc7c78a00c38789ea0e7041

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1072	784	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	REVISED OT STATMENT.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1072	784	REVISED OT STATMENT.exe	27
PID 784 wrote to memory of 1072	784	REVISED OT STATMENT.exe	27
PID 784 wrote to memory of 1072	784	REVISED OT STATMENT.exe	27
PID 784 wrote to memory of 1072	784	REVISED OT STATMENT.exe	27

C:\Users\Admin\AppData\Local\Temp\REVISED OT STATMENT.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED OT STATMENT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1152
  2⤵
  - Program crash
  PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/784-55-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download