e4efbdcde8db7352bdf2cb15677d4dea605e29e8fbcaf77f4aa0bd4d6a089117 | Triage

Analysis

max time kernel
131s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 07:29

Sharing

Report Analysis Logs

General

Target

wT68Fevuk5oozkl.exe
Size

557KB
MD5

fc5cd5a5634e0278a26c917a4d35e6cb
SHA1

947a2b235f0931d7dbae5ae7e191787e206f7628
SHA256

e4efbdcde8db7352bdf2cb15677d4dea605e29e8fbcaf77f4aa0bd4d6a089117
SHA512

feb93650e811bf601f33850a0def95b436ce1677172e3a257492e28159506b7ee7c586a42c1ad8d37555ec6ac2371fd12c451732a16fbb9c403af5e0ad3201f5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3596	1732	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3596	WerFault.exe
Token: SeBackupPrivilege	3596	WerFault.exe
Token: SeDebugPrivilege	3596	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\wT68Fevuk5oozkl.exe
"C:\Users\Admin\AppData\Local\Temp\wT68Fevuk5oozkl.exe"
1⤵
PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1144
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3596-0-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/3596-1-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download