e4b1c7f2f04d674f545b52a14617dfc553b65991c4779d1b22bf41982d1201ff | Triage

Analysis

max time kernel
137s
max time network
108s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 07:39

Sharing

Report Analysis Logs

General

Target

MkXhxWHcc49zLgc.exe
Size

1.1MB
MD5

aaa7c56e1365273d298fc27167a9c2bf
SHA1

c9836709996845921fa247cae630087455563672
SHA256

e4b1c7f2f04d674f545b52a14617dfc553b65991c4779d1b22bf41982d1201ff
SHA512

fd901395bdca4bd687d4746ed15007ec07923ff40f915d51ef3fb5e0777f576315deb8c51fbdf33381f49442fff80527bb03a1148892d63f33d6160d414ac158

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	3656	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2396	WerFault.exe
Token: SeBackupPrivilege	2396	WerFault.exe
Token: SeDebugPrivilege	2396	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe
2396	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\MkXhxWHcc49zLgc.exe
"C:\Users\Admin\AppData\Local\Temp\MkXhxWHcc49zLgc.exe"
1⤵
PID:3656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1156
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2396-0-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download