3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd | Triage

Analysis

max time kernel
117s
max time network
120s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 10:11

Sharing

Report Analysis Logs

General

Target

f38d9b74c3608660961b92448d249323.exe
Size

1.3MB
MD5

f38d9b74c3608660961b92448d249323
SHA1

2e48e08c75486a10eb463ee34826c9a2fc207e96
SHA256

3ee692779441b3a14699edc0f9ad269c58281d5735c570a9468f077739db26dd
SHA512

c7c076116ac62b89f8545247815c006d08b6a05112e39a1210956d4d48d97c33db38936dc19532244a715e26d2fa1b0cc6e8fc135f4150265a058f9a7dabaf0b

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	f38d9b74c3608660961b92448d249323.exe
Token: SeRestorePrivilege	3852	WerFault.exe
Token: SeBackupPrivilege	3852	WerFault.exe
Token: SeDebugPrivilege	3852	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3852	4092	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f38d9b74c3608660961b92448d249323.exe
"C:\Users\Admin\AppData\Local\Temp\f38d9b74c3608660961b92448d249323.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1152
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:3852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3852-0-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/3852-1-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download