aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9 | Triage

Analysis

max time kernel
27s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/05/2023, 13:07

Sharing

Report Analysis Logs

General

Target

file.exe
Size

410KB
MD5

e80264156b7c26f7495709faa23ffdb7
SHA1

5d497c936ee71cc18125793bba524e4832a10789
SHA256

aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9
SHA512

697c7d64c1b8f07cede094aa6ace876dd9d3eac3c634036764eb464196e8a41ce3d93ff878d9e6b2cb0a5ea35a93aa123f75463f1571b38acd7e53ee1e4c5ec8
SSDEEP

12288:9+cpD7KsRbSQ82gxVB5mSNDtdLCXZC/QuQ/g+LjQRohyqBoHCK0iOEfoh4c3QCNo:HpD0b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	972	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	file.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 2040	972	file.exe	27
PID 972 wrote to memory of 2040	972	file.exe	27
PID 972 wrote to memory of 2040	972	file.exe	27
PID 972 wrote to memory of 2040	972	file.exe	27

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1088
  2⤵
  - Program crash
  PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/972-54-0x0000000000170000-0x00000000001DC000-memory.dmp

Filesize
432KB

Download
memory/972-55-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/972-56-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/972-57-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download