afdef065db92bacabeb6a8b638ff1adcded1a0f578c36ac89128d13cdf701234 | Triage

Analysis

max time kernel
65s
max time network
117s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 07:38

Sharing

Report Analysis Logs

General

Target

YvHF6Lp7RzXCeb2.exe
Size

1.1MB
MD5

7c349d8e668f1347eba0f138c28c4019
SHA1

d6bf314945052ddd8a26139098c782aedd359b88
SHA256

afdef065db92bacabeb6a8b638ff1adcded1a0f578c36ac89128d13cdf701234
SHA512

dbf66e2e3558539de8e25ea96dc2c91e1343e1f991e9cf6fce8b360b1336dcb98cf904309dc76a487e66ba3278ca673b136ad28729492a0832239997c2ae4e3d

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3952	3048	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3952	WerFault.exe
Token: SeBackupPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	3952	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\YvHF6Lp7RzXCeb2.exe
"C:\Users\Admin\AppData\Local\Temp\YvHF6Lp7RzXCeb2.exe"
1⤵
PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1152
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3952-0-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3952-1-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download