0b86159d631072ea71c923b2e889cb462d93227c18c4fab7a9e5ee8cb98d818c | Triage

Analysis

max time kernel
119s
max time network
142s
platform
windows10_x64
resource
win10v200430
submitted
05/07/2020, 07:19

Sharing

Report Analysis Logs

General

Target

IT.exe
Size

206KB
MD5

4431fb78737232abbb23324ec36f459e
SHA1

4bb935791365ab23ac98628663a98d57df635451
SHA256

0b86159d631072ea71c923b2e889cb462d93227c18c4fab7a9e5ee8cb98d818c
SHA512

3d93355a7e0107b6f98546643fcba9e36a297caf4584a924a9cba7d4fc21c0905c11e8ebeedac3325eb617341beb55f3b7cd80b6b122485f683b1dfda99bb422

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2092	1508	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2092	WerFault.exe
Token: SeBackupPrivilege	2092	WerFault.exe
Token: SeDebugPrivilege	2092	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\IT.exe
"C:\Users\Admin\AppData\Local\Temp\IT.exe"
1⤵
PID:1508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1124
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-0-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2092-2-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download