922d69b91fbe84aaf3f6fae8eb416ce48f8106e6cb5ec60846409beb029b235b | Triage

Analysis

max time kernel
131s
max time network
126s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 08:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CV.exe
Size

452KB
MD5

da433bf4f7ae613fa6a3e3b52f006a6b
SHA1

2d0273829977db284382be3e6735ac9993ea91a1
SHA256

922d69b91fbe84aaf3f6fae8eb416ce48f8106e6cb5ec60846409beb029b235b
SHA512

2d64e923cb6809c70873c8d8801148fcab302876eb81978746a1311028e75197701c766ef0ea76334145a58a2b4c79e1f9388a4c35cc9b8fa82df53396f38e51

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	384	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1584	WerFault.exe
Token: SeBackupPrivilege	1584	WerFault.exe
Token: SeDebugPrivilege	1584	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\CV.exe
"C:\Users\Admin\AppData\Local\Temp\CV.exe"
1⤵
PID:384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1136
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-0-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1584-1-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1584-2-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download