200e5b0b9f6c2ff5f4cce4653f467b8861983a566a6b5b68c878da8c0f30de4c | Triage

Analysis

max time kernel
137s
max time network
69s
platform
windows10_x64
resource
win10v200430
submitted
25-06-2020 06:01

Sharing

Report Analysis Logs

General

Target

2Fw4Imyy4AP4gQX.exe
Size

605KB
MD5

93ccd4151365228cdb632dbe01cfbdc6
SHA1

8ad3e4999c8686481430b9f03b060fa1a37ba5e2
SHA256

200e5b0b9f6c2ff5f4cce4653f467b8861983a566a6b5b68c878da8c0f30de4c
SHA512

a13807ab11cd53ba676fb66551723f202f86947e4dd37deff8b9238285474138b3564816b5c94f226b6af612cd1c52c843c46484c3939b189ad99a4f3e49746b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1868 992 WerFault.exe 2Fw4Imyy4AP4gQX.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1868 WerFault.exe
Token: SeBackupPrivilege 1868 WerFault.exe
Token: SeDebugPrivilege 1868 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2Fw4Imyy4AP4gQX.exe
"C:\Users\Admin\AppData\Local\Temp\2Fw4Imyy4AP4gQX.exe"
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1108
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-0-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download