d47f5168e5b3b521b9e2722207e1fcf5be168c8dab409ffd575cba8c08fe1f9e | Triage

Analysis

max time kernel
127s
max time network
150s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 10:05

Sharing

Report Analysis Logs

General

Target

kWRzqj4iO78z4ri.exe
Size

746KB
MD5

9edb7a4a29110cd92c0f304fd69f8308
SHA1

95f1be6b1e4f159712d415bfb99c8dd57202a18b
SHA256

d47f5168e5b3b521b9e2722207e1fcf5be168c8dab409ffd575cba8c08fe1f9e
SHA512

bb3dbd10ad536c69aed3a7963ba5f8e10e1f1d4a79d65ff7d7cfe5d4cff6331a128b0a6d8ce21b8dc6e936db633bbb47fa487857699d3797b86561c8849c3ebc

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4092	1612	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4092	WerFault.exe
Token: SeBackupPrivilege	4092	WerFault.exe
Token: SeDebugPrivilege	4092	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\kWRzqj4iO78z4ri.exe
"C:\Users\Admin\AppData\Local\Temp\kWRzqj4iO78z4ri.exe"
1⤵
PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 944
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4092-0-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4092-1-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download