bbd1b9d7ea2595f0b7464d3480aa45ff371895dc82676267612f589004f14584 | Triage

Analysis

max time kernel
119s
max time network
121s
platform
windows10_x64
resource
win10
submitted
07-07-2020 13:25

Sharing

Report Analysis Logs

General

Target

Harrry5.7.exe
Size

726KB
MD5

1e630f2976e32ffe250a25fb5761e23c
SHA1

6838b808ef597f5819218e1431e2b61eca4157a4
SHA256

bbd1b9d7ea2595f0b7464d3480aa45ff371895dc82676267612f589004f14584
SHA512

18fa1981349ddaaa514ff16616757075b7bb5457db2a7d7c3e506a0531d7c2138b602e92a64917fec0c2a13dfcfef81530b41689cca74cf5e4b3198db7322792

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3624 748 WerFault.exe Harrry5.7.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Harrry5.7.exeWerFault.exe

pid	process
748	Harrry5.7.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe
3624	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Harrry5.7.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	748	Harrry5.7.exe
Token: SeRestorePrivilege	3624	WerFault.exe
Token: SeBackupPrivilege	3624	WerFault.exe
Token: SeDebugPrivilege	3624	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Harrry5.7.exe
"C:\Users\Admin\AppData\Local\Temp\Harrry5.7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3624-0-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3624-1-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download