1bd16b971407f4aeb31f7eb8392b2299b22cc8e1778a8c770e7ac4c0150681e8 | Triage

Analysis

max time kernel
147s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 15:01

Sharing

Report Analysis Logs

General

Target

myori.jpg.exe
Size

738KB
MD5

05910b6dcc01b7a2e43daf6f02e92b86
SHA1

9e5caa06c5f351576b126d5bf9270a2fe2a3eabf
SHA256

1bd16b971407f4aeb31f7eb8392b2299b22cc8e1778a8c770e7ac4c0150681e8
SHA512

ffaf1bddb36123d230a605a1adf7028765219966105cc4cef01712bb049a72d7d003d1994ac5f631240bdb6a92130836e9cf3479e401917953abb25be9ec2341

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	3768	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2224	WerFault.exe
Token: SeBackupPrivilege	2224	WerFault.exe
Token: SeDebugPrivilege	2224	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\myori.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\myori.jpg.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1148
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-0-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download