4eb7a7353a49eb38c15ab6bbd8226493daa643ebedbca960bd94f05c33201bef | Triage

Analysis

max time kernel
64s
max time network
70s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 18:10

Sharing

Report Analysis Logs

General

Target

4eb7a7353a49eb38c15ab6bbd8226493daa643ebedbca960bd94f05c33201bef.exe
Size

238KB
MD5

e857a0b6a93f6247362ade805dfc27b8
SHA1

8fe80b60dc811856cbd64f56d326bb485343e4e5
SHA256

4eb7a7353a49eb38c15ab6bbd8226493daa643ebedbca960bd94f05c33201bef
SHA512

72f42436f0fd131e8ca97ab04abfbae62d3f52c816e2dbc96dd735d1ff4eeb9bb6e70649ccd8dd7fe599db376ba4114e94acf86d53ee5cbe16219159a5d7006a

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4064	3536	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4064	WerFault.exe
Token: SeBackupPrivilege	4064	WerFault.exe
Token: SeDebugPrivilege	4064	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4eb7a7353a49eb38c15ab6bbd8226493daa643ebedbca960bd94f05c33201bef.exe
"C:\Users\Admin\AppData\Local\Temp\4eb7a7353a49eb38c15ab6bbd8226493daa643ebedbca960bd94f05c33201bef.exe"
1⤵
PID:3536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1132
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4064-0-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4064-2-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download