8a8b601dbdc4a8b83fa1802be973df5562916711e95de88d77c0d86ce3a3e1e5 | Triage

Analysis

max time kernel
136s
max time network
98s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 08:53

Sharing

Report Analysis Logs

General

Target

New Government Regulations Effective.exe
Size

396KB
MD5

188567a5dc5ecb27eff09da32924bd03
SHA1

81015e96dd24740b8095391ea4c11aac2acc65e1
SHA256

8a8b601dbdc4a8b83fa1802be973df5562916711e95de88d77c0d86ce3a3e1e5
SHA512

18c7ec19d1bc4d7a9586f2a6c4a35a82ea210cec02bf2721338a3b6119e33b4edfe6722a1eca65f51ec866f7801f8a6413a3fcdbeecb2f41a3c76a5c44ae1233

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	3944	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2128	WerFault.exe
Token: SeBackupPrivilege	2128	WerFault.exe
Token: SeDebugPrivilege	2128	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New Government Regulations Effective.exe
"C:\Users\Admin\AppData\Local\Temp\New Government Regulations Effective.exe"
1⤵
PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1164
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-0-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download