634504a104cbbdd153e75bd778266a8ae7553fda4d477beefc3c8e7bdbc65fba | Triage

Analysis

max time kernel
73s
max time network
116s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 15:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

634504a104cbbdd153e75bd778266a8ae7553fda4d477beefc3c8e7bdbc65fba.exe
Size

549KB
MD5

199ea7a5bb866bc8d6abd64d6aed6355
SHA1

bcb3a35ac77d85e2b53be7e671554d76a91ef315
SHA256

634504a104cbbdd153e75bd778266a8ae7553fda4d477beefc3c8e7bdbc65fba
SHA512

99f1759ef750bc840c525c65d1289e94bf3c1e2e2e3b5a6f14223c7a79578b16eede76e93655cba7fcdd88cedcd1af01f3f3ddd7530b5b44717942c909ea86e6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3968	3588	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3968	WerFault.exe
Token: SeBackupPrivilege	3968	WerFault.exe
Token: SeDebugPrivilege	3968	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\634504a104cbbdd153e75bd778266a8ae7553fda4d477beefc3c8e7bdbc65fba.exe
"C:\Users\Admin\AppData\Local\Temp\634504a104cbbdd153e75bd778266a8ae7553fda4d477beefc3c8e7bdbc65fba.exe"
1⤵
PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 936
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3968-0-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/3968-1-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/3968-3-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download