230ad9bffe97e0ee1f8f7cbf3c6cfa2d95211d859170ee19e3e2d9b8c1cc97b5 | Triage

Analysis

max time kernel
74s
max time network
134s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 12:11

Sharing

Report Analysis Logs

General

Target

230ad9bffe97e0ee1f8f7cbf3c6cfa2d95211d859170ee19e3e2d9b8c1cc97b5.exe
Size

705KB
MD5

af2d2ebeda11b5047b44ce8d0210de9e
SHA1

627160e80c9ea31f013ebbf9755f9b97e8493efc
SHA256

230ad9bffe97e0ee1f8f7cbf3c6cfa2d95211d859170ee19e3e2d9b8c1cc97b5
SHA512

1dcf7d6f3ff6981b2a13a091c451135b0af2c8c2fc12d33b0dfd4eaeb2a14ec88259a5201fcad80985c97d5fb664183ea8f14978cbc037133368aba304f4a0dc

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3796	2460	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3796	WerFault.exe
Token: SeBackupPrivilege	3796	WerFault.exe
Token: SeDebugPrivilege	3796	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\230ad9bffe97e0ee1f8f7cbf3c6cfa2d95211d859170ee19e3e2d9b8c1cc97b5.exe
"C:\Users\Admin\AppData\Local\Temp\230ad9bffe97e0ee1f8f7cbf3c6cfa2d95211d859170ee19e3e2d9b8c1cc97b5.exe"
1⤵
PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1144
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3796-0-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/3796-1-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download