4cea65512dbdf77377eb95df694165cfdfd47a190efc64c7ebf3947415a8c08b | Triage

Analysis

max time kernel
147s
max time network
149s
platform
windows10_x64
resource
win10
submitted
16-06-2020 20:57

Sharing

Report Analysis Logs

General

Target

D22zyhdi6zFGT56.exe
Size

859KB
MD5

279827a2093074fab8e309b66c6865cd
SHA1

f0c512393409f227309f56a023b57495892f8941
SHA256

4cea65512dbdf77377eb95df694165cfdfd47a190efc64c7ebf3947415a8c08b
SHA512

ff9033720a3ea8eaa668df569e48287e337d3199aa3a47131504a589c4d6de8410fa8d567ce84867468ae5c123677cbd8cf7f2fba0a17dce080d9aeafb04d1b6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3036 3068 WerFault.exe D22zyhdi6zFGT56.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3036 WerFault.exe
Token: SeBackupPrivilege 3036 WerFault.exe
Token: SeDebugPrivilege 3036 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe
"C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe"
1⤵
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 936
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-0-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/3036-1-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download