14bc7146562bb679d9e708f1f748512a140a4a32e2ae1d7a8de6c971b5639686 | Triage

Analysis

max time kernel
135s
max time network
135s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 07:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SPEC ORDER #3081.exe
Size

375KB
MD5

383949d00c81b2a7ca1c5b225a4e268d
SHA1

166b82c1363bbf1d48ae27291cd6b8205e8908ed
SHA256

14bc7146562bb679d9e708f1f748512a140a4a32e2ae1d7a8de6c971b5639686
SHA512

567592a32dd2cdbca984ee6eb74e4985143e852f6ba433d8cc26fbb7ef36cc55c6f83617218a4719b1d07ee9c19abb7cc9dab21e52bd060554621bd054f75f64

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3788	WerFault.exe
Token: SeBackupPrivilege	3788	WerFault.exe
Token: SeDebugPrivilege	3788	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3788	3588	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\SPEC ORDER #3081.exe
"C:\Users\Admin\AppData\Local\Temp\SPEC ORDER #3081.exe"
1⤵
PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1136
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3788-0-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3788-1-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download