8416f3621c432bad0ab9877e3f9dc77ea9a3e1dfdbabef28b71059604b9fab04 | Triage

Analysis

max time kernel
65s
max time network
92s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 18:32

Sharing

Report Analysis Logs

General

Target

AWB#-8158025864-09-07.exe
Size

553KB
MD5

871072d95966439336830c00838b0684
SHA1

39d5a3c8b6c53d5cc932e4a075871a12fd2b037b
SHA256

8416f3621c432bad0ab9877e3f9dc77ea9a3e1dfdbabef28b71059604b9fab04
SHA512

93d64f4a91c445ea53565254aa055361b917567b18803bf50e62d32d0a645a6b328a89d4b629c8377aa704fe76409a6504339517f35a44727e311146e7fdcc9e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3896	3888	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3896	WerFault.exe
Token: SeBackupPrivilege	3896	WerFault.exe
Token: SeDebugPrivilege	3896	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\AWB#-8158025864-09-07.exe
"C:\Users\Admin\AppData\Local\Temp\AWB#-8158025864-09-07.exe"
1⤵
PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 912
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3896-0-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3896-1-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download