3c3a0a24c9dc7ee7cb4a86ef7e113b9835d4dc2c69b915e9d16f68f99799e4c9 | Triage

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 10:41

Sharing

Report Analysis Logs

General

Target

VSL Q88.scr
Size

17KB
MD5

525c930b348f58ecdaf03b08c1a91495
SHA1

5f08e2d33fc791929e29ad5b93a319453c3583a9
SHA256

bb393daf400b3417fdd00e65698a3fdb977cd41cc1df894b630b271ddb4769df
SHA512

44f17df7f6f7bbb505a40d389496f7acca83c8e78b4180fd7e90cad1ea42731ceed36d634780cdec6758b9c8c72a23df726b668ef5e6087bc778eb28e6b0dc0e
SSDEEP

384:gdO0vPqnnphy83JqGq3HLBhoksn1VRi2J2kcQ5Yi:gdnPqnnph53J3q3rBJsnMkcS

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1588 1264 WerFault.exe VSL Q88.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VSL Q88.scr

description pid process

Token: SeDebugPrivilege 1264 VSL Q88.scr

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

VSL Q88.scr

description	pid	process	target process
PID 1264 wrote to memory of 1588	1264	VSL Q88.scr	WerFault.exe
PID 1264 wrote to memory of 1588	1264	VSL Q88.scr	WerFault.exe
PID 1264 wrote to memory of 1588	1264	VSL Q88.scr	WerFault.exe
PID 1264 wrote to memory of 1588	1264	VSL Q88.scr	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\VSL Q88.scr
"C:\Users\Admin\AppData\Local\Temp\VSL Q88.scr" /S
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1048
- Program crash
PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-54-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/1264-55-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x0000000000000000-mapping.dmp

Download