c3a8830187f24899610607a4537fc6615cd46a640cd01f4abc0577f6a3edf894 | Triage

Analysis

max time kernel
136s
max time network
140s
platform
windows10_x64
resource
win10
submitted
09-07-2020 07:39

Sharing

Report Analysis Logs

General

Target

pZpQbRFlnxsu7VK.exe
Size

1.1MB
MD5

5ac4b78a44566b9cb49d308f54f3a97c
SHA1

e396d9389ec1414d111f72fca97b3fb1b362e108
SHA256

c3a8830187f24899610607a4537fc6615cd46a640cd01f4abc0577f6a3edf894
SHA512

3bb580adb3fee72f813e4155921f9d6b0cf465084c8be146aa73c8f11b8fb9777fd9ad63e62e808fad763e11c88631535fe58e51add20484c3fd99c1cfecefa2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	3104	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3832	WerFault.exe
Token: SeBackupPrivilege	3832	WerFault.exe
Token: SeDebugPrivilege	3832	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\pZpQbRFlnxsu7VK.exe
"C:\Users\Admin\AppData\Local\Temp\pZpQbRFlnxsu7VK.exe"
1⤵
PID:3104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1152
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3832-0-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/3832-1-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/3832-3-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download