70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19 | Triage

Analysis

max time kernel
71s
max time network
116s
platform
windows10_x64
resource
win10
submitted
30-06-2020 05:28

Sharing

Report Analysis Logs

General

Target

IePZajh9fm9DACV.exe
Size

362KB
MD5

82c01db6ccaa1c602b77c59b3ed64d71
SHA1

71ca9deefc3a678bf7fde895978ff5ff5a67691a
SHA256

70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19
SHA512

0ae49f96a29e21bf8d4e29f7d93f79870b006e0b639bf49565cb7cffca2ad2d7fd26c76d84f777e4aa77a00b91a546dd7a9b957fb326a707f727bb6b76648f59

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3876 2532 WerFault.exe IePZajh9fm9DACV.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3876 WerFault.exe
Token: SeBackupPrivilege 3876 WerFault.exe
Token: SeDebugPrivilege 3876 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe
3876	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\IePZajh9fm9DACV.exe
"C:\Users\Admin\AppData\Local\Temp\IePZajh9fm9DACV.exe"
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1168
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3876-0-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3876-1-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3876-2-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download