7476dcf410a70085858f6941dd7b2eecfee947c2fc5f3119007fa32f46510bd2 | Triage

Analysis

max time kernel
135s
max time network
103s
platform
windows10_x64
resource
win10v200430
submitted
09-07-2020 08:24

Sharing

Report Analysis Logs

General

Target

crypt.exe
Size

544KB
MD5

522999de9b8ce418029ff040802697a9
SHA1

11b2097d9ad93c6ce29e252a95c0b242f6be766f
SHA256

7476dcf410a70085858f6941dd7b2eecfee947c2fc5f3119007fa32f46510bd2
SHA512

0d6653623b16f3972cf81fa63037b55702b9790f5b0cdbfe6f1f03a11614c304720132c0c398a4017fa3bc61521adc4e2bf2022fa6097be2d85592b6528dcc6c

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2732 2804 WerFault.exe crypt.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2732 WerFault.exe
Token: SeBackupPrivilege 2732 WerFault.exe
Token: SeDebugPrivilege 2732 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\crypt.exe"
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1140
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-0-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/2732-2-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download