0cf0a21265aeb77654b578aaecc8e53c43d4384bd2437ccc94164c1316993f91 | Triage

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

x.exe
Size

993KB
MD5

84f5abb791328239fcb08dbc35414c48
SHA1

3dd2ded45da4ff1ed3797a471ec583aa4e33a2a4
SHA256

0cf0a21265aeb77654b578aaecc8e53c43d4384bd2437ccc94164c1316993f91
SHA512

4b850abc14cd17f672ad11e7014a8626871ec0a2b6c57d55e324ff310e069b775671ec9a9902c2ef31bfa9e32f5d4471e94dc73f40555537fc732bd4e5a753ae
SSDEEP

24576:N67fufBTqEjDpSodnEbv1ott4qM/Ig3t/c1pZBhPOy5TYvBQRwakt:N67fupJDwi2tEt4jICt+pZBYATYvBQRG

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1656	4648	WerFault.exe	79

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	x.exe

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1328
  2⤵
  - Program crash
  PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4648 -ip 4648
1⤵
PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4648-132-0x0000000000B00000-0x0000000000BFE000-memory.dmp

Filesize
1016KB

Download
memory/4648-133-0x0000000008030000-0x00000000085D4000-memory.dmp

Filesize
5.6MB

Download
memory/4648-134-0x0000000007B20000-0x0000000007BB2000-memory.dmp

Filesize
584KB

Download
memory/4648-135-0x0000000007E40000-0x0000000007EA6000-memory.dmp

Filesize
408KB

Download