4cea65512dbdf77377eb95df694165cfdfd47a190efc64c7ebf3947415a8c08b | Triage

Analysis

max time kernel
147s
max time network
149s
platform
windows10_x64
resource
win10
submitted
16-06-2020 20:57

Sharing

Report Analysis Logs

General

Target

D22zyhdi6zFGT56.exe
Size

859KB
MD5

279827a2093074fab8e309b66c6865cd
SHA1

f0c512393409f227309f56a023b57495892f8941
SHA256

4cea65512dbdf77377eb95df694165cfdfd47a190efc64c7ebf3947415a8c08b
SHA512

ff9033720a3ea8eaa668df569e48287e337d3199aa3a47131504a589c4d6de8410fa8d567ce84867468ae5c123677cbd8cf7f2fba0a17dce080d9aeafb04d1b6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3036	3068	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3036	WerFault.exe
Token: SeBackupPrivilege	3036	WerFault.exe
Token: SeDebugPrivilege	3036	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe
"C:\Users\Admin\AppData\Local\Temp\D22zyhdi6zFGT56.exe"
1⤵
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 936
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-0-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/3036-1-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download