b8ac4a45dbd25ba8bb4f71d53bb8615f6d00b9be95b6e976567377957d92c428 | Triage

Analysis

max time kernel
78s
max time network
116s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 10:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO-7546354.exe
Size

821KB
MD5

0e39e0f49e3f74b7fe492f2f9b4e0969
SHA1

bc7fce8afc2a2d379e3e0714191dae859e3771a8
SHA256

b8ac4a45dbd25ba8bb4f71d53bb8615f6d00b9be95b6e976567377957d92c428
SHA512

a9b7539a91aa8593b5a15f2536069591e105ab75484a2bf3900aedbe9c2f6ab6bbed33ab000995f776471f51c86df17a17475c3997a000b854324d42eec4783c

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	2920	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1940	WerFault.exe
Token: SeBackupPrivilege	1940	WerFault.exe
Token: SeDebugPrivilege	1940	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO-7546354.exe
"C:\Users\Admin\AppData\Local\Temp\PO-7546354.exe"
1⤵
PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 928
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-0-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1940-1-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download