38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545 | Triage

Analysis

max time kernel
69s
max time network
97s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ubb.exe
Size

457KB
MD5

45c06eab307690b796dd9c1a3c7f8eb6
SHA1

1192c39f0357ce3ff44e524e2e7bc53978b693ed
SHA256

38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545
SHA512

0ee5802e9d9d7e2d1630e1b80380abc5878dacad311fa01c03085ac580ab8d7799928cc4157857e948e01d13f57f530fcdff182aa078615d09ca675200393df1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3856	3820	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3856	WerFault.exe
Token: SeBackupPrivilege	3856	WerFault.exe
Token: SeDebugPrivilege	3856	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ubb.exe
"C:\Users\Admin\AppData\Local\Temp\ubb.exe"
1⤵
PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3856-0-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3856-1-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download