38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545 | Triage

Analysis

max time kernel
69s
max time network
97s
platform
windows10_x64
resource
win10
submitted
09-07-2020 13:49

Sharing

Report Analysis Logs

General

Target

ubb.exe
Size

457KB
MD5

45c06eab307690b796dd9c1a3c7f8eb6
SHA1

1192c39f0357ce3ff44e524e2e7bc53978b693ed
SHA256

38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545
SHA512

0ee5802e9d9d7e2d1630e1b80380abc5878dacad311fa01c03085ac580ab8d7799928cc4157857e948e01d13f57f530fcdff182aa078615d09ca675200393df1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3856 3820 WerFault.exe ubb.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3856 WerFault.exe
Token: SeBackupPrivilege 3856 WerFault.exe
Token: SeDebugPrivilege 3856 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ubb.exe
"C:\Users\Admin\AppData\Local\Temp\ubb.exe"
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3856-0-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3856-1-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download