fd512bcb35f6f9b41f33ec961e46e3b80a774d8038a03abb1b693064a84f8f1a | Triage

Analysis

max time kernel
66s
max time network
111s
platform
windows10_x64
resource
win10
submitted
30-06-2020 13:36

Sharing

Report Analysis Logs

General

Target

aa250511bf99e715a6b37fc643f355d8.exe
Size

500KB
MD5

aa250511bf99e715a6b37fc643f355d8
SHA1

4ee5f574ed4c49a269d257e353baf736e50210d2
SHA256

fd512bcb35f6f9b41f33ec961e46e3b80a774d8038a03abb1b693064a84f8f1a
SHA512

c1df88c46297ddd410dbcc874f6c43c396650e5e596e1fd246aea22ec2a2a4f8553ebed4a24a5aae511f082d8c5343c0511389c945d7eb4effcd190b66b014b9

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3928 2728 WerFault.exe aa250511bf99e715a6b37fc643f355d8.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3928 WerFault.exe
Token: SeBackupPrivilege 3928 WerFault.exe
Token: SeDebugPrivilege 3928 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\aa250511bf99e715a6b37fc643f355d8.exe
"C:\Users\Admin\AppData\Local\Temp\aa250511bf99e715a6b37fc643f355d8.exe"
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1144
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3928-0-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/3928-1-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/3928-3-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download