0310713073d73da7a45ff957b3fdba84d8d6da70a91a8404c66561007d505d08 | Triage

Analysis

max time kernel
75s
max time network
150s
platform
windows10_x64
resource
win10
submitted
30-06-2020 15:10

Sharing

Report Analysis Logs

General

Target

swift_7974.exe
Size

484KB
MD5

475e1f8a737a1137a0935909184f8824
SHA1

15b9a691f4490c3c562e8bf5639f999c4cf95313
SHA256

0310713073d73da7a45ff957b3fdba84d8d6da70a91a8404c66561007d505d08
SHA512

1ff39b6bde5ae30072b43d9e9d32ce2256508656eca5dc7fccb0c0058f102371e9f5ca1ea3fb3b2ebe74f4aada43c62220cca2873dd6549effbe5deb4b8730fe

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3644 772 WerFault.exe swift_7974.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3644 WerFault.exe
Token: SeBackupPrivilege 3644 WerFault.exe
Token: SeDebugPrivilege 3644 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\swift_7974.exe
"C:\Users\Admin\AppData\Local\Temp\swift_7974.exe"
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3644-0-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3644-1-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download