b7e415a16cfc8d84c09f105709910d808f0ad13e64c7feb4169b135fe57c7f99 | Triage

Analysis

max time kernel
136s
max time network
107s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 07:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ZWiW2Y27HUjCG5Y.exe
Size

1.1MB
MD5

a1c4c357d66c06dab0cabe3803e4ba48
SHA1

b665fe8a7806111221819df058202508bbfaea12
SHA256

b7e415a16cfc8d84c09f105709910d808f0ad13e64c7feb4169b135fe57c7f99
SHA512

b39066bc46e18c469ccae10ea33077d999ea1f48c97af662a15e4ab905033ab12ce02c000f6635c55fb854ff27baf6f62c9b373927f3e16b4f9e3d1a5f4a84b0

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	652	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2816	WerFault.exe
Token: SeBackupPrivilege	2816	WerFault.exe
Token: SeDebugPrivilege	2816	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ZWiW2Y27HUjCG5Y.exe
"C:\Users\Admin\AppData\Local\Temp\ZWiW2Y27HUjCG5Y.exe"
1⤵
PID:652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 1160
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-0-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/2816-1-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/2816-3-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download