afdef065db92bacabeb6a8b638ff1adcded1a0f578c36ac89128d13cdf701234 | Triage

Analysis

max time kernel
65s
max time network
117s
platform
windows10_x64
resource
win10
submitted
09-07-2020 07:38

Sharing

Report Analysis Logs

General

Target

YvHF6Lp7RzXCeb2.exe
Size

1.1MB
MD5

7c349d8e668f1347eba0f138c28c4019
SHA1

d6bf314945052ddd8a26139098c782aedd359b88
SHA256

afdef065db92bacabeb6a8b638ff1adcded1a0f578c36ac89128d13cdf701234
SHA512

dbf66e2e3558539de8e25ea96dc2c91e1343e1f991e9cf6fce8b360b1336dcb98cf904309dc76a487e66ba3278ca673b136ad28729492a0832239997c2ae4e3d

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3952 3048 WerFault.exe YvHF6Lp7RzXCeb2.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3952 WerFault.exe
Token: SeBackupPrivilege 3952 WerFault.exe
Token: SeDebugPrivilege 3952 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\YvHF6Lp7RzXCeb2.exe
"C:\Users\Admin\AppData\Local\Temp\YvHF6Lp7RzXCeb2.exe"
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1152
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3952-0-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3952-1-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download