9105fddbf7ca864fe5d867a903e7c80bafecc9d3530ec791fdaf93366067b252 | Triage

Analysis

max time kernel
76s
max time network
121s
platform
windows10_x64
resource
win10
submitted
09-07-2020 06:32

Sharing

Report Analysis Logs

General

Target

PO-7546354.exe
Size

714KB
MD5

45394c0479e6c67b50f6d43440edbbc6
SHA1

c3fca76e8482745fb9f1312b78d2a69e45c4688e
SHA256

9105fddbf7ca864fe5d867a903e7c80bafecc9d3530ec791fdaf93366067b252
SHA512

348dce4cd83855a1c0d680f2a8d1c01ef3012cbc5314971c23eb283c9ed3295d707de8c4653b65af3a9edc395d33e14d6116c20b1b075eb0caf823e72058e10b

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3712	WerFault.exe
Token: SeBackupPrivilege	3712	WerFault.exe
Token: SeDebugPrivilege	3712	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3712	2808	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\PO-7546354.exe
"C:\Users\Admin\AppData\Local\Temp\PO-7546354.exe"
1⤵
PID:2808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1144
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3712-0-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3712-1-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/3712-2-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3712-3-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download