79d97d58dbb9845b2101ad4a03a987b9fc8e937e43b4b9f5bfe3a47f71a6f113 | Triage

Analysis

max time kernel
134s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 07:39

Sharing

Report Analysis Logs

General

Target

0QSzXhS7MbCQTXC.exe
Size

1.1MB
MD5

4ed163913c77b6c20e55d35e34133b1b
SHA1

ae9334de8094ce58d3719a5de1fa75edda5649a0
SHA256

79d97d58dbb9845b2101ad4a03a987b9fc8e937e43b4b9f5bfe3a47f71a6f113
SHA512

f5389e60abf73f30c95c66abb2a1a736a8c9c0af959b73daf34fb1736989a324c88876c74aed57732bc89dd2886b4f400d09fad24192028a34dcf53aeeae697e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	1516	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2184	WerFault.exe
Token: SeBackupPrivilege	2184	WerFault.exe
Token: SeDebugPrivilege	2184	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0QSzXhS7MbCQTXC.exe
"C:\Users\Admin\AppData\Local\Temp\0QSzXhS7MbCQTXC.exe"
1⤵
PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1156
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2184-0-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download