77b7fa89c446b127b0c1d8ad0c5dc5fb57c8121dd3c40a67b77e5c0a35d75114 | Triage

Analysis

max time kernel
137s
max time network
139s
platform
windows10_x64
resource
win10v200430
submitted
16-06-2020 20:51

Sharing

Report Analysis Logs

General

Target

B3gkHhPlWv3DOsB.exe
Size

845KB
MD5

35a5963bfb1fa8b5e3851378959ac522
SHA1

b1c035b8221c06e14311eda738df7e28a6559514
SHA256

77b7fa89c446b127b0c1d8ad0c5dc5fb57c8121dd3c40a67b77e5c0a35d75114
SHA512

851bd78e047d34a27f532e808bbe6e27cc9b7e09a39bd26ed69b121f9b377a85a381e50f73d8b1775987d7582300b963cf7be119e9cb7334d490d21dacdddd80

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2748 1492 WerFault.exe B3gkHhPlWv3DOsB.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2748 WerFault.exe
Token: SeBackupPrivilege 2748 WerFault.exe
Token: SeDebugPrivilege 2748 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe
"C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe"
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 944
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2748-0-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download