33bbefb4d3bb2a66e713a55da6b852df10241fb371ebda3e5a39a761bacca0b3 | Triage

Analysis

max time kernel
141s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
09-07-2020 07:39

Sharing

Report Analysis Logs

General

Target

sZ5JiFfRsBQ6Tku.exe
Size

1.1MB
MD5

d685eb26c1eb33c30201f51712f095ce
SHA1

360a6390533be7bdff392f115db5011f9ffebf10
SHA256

33bbefb4d3bb2a66e713a55da6b852df10241fb371ebda3e5a39a761bacca0b3
SHA512

0d7562e83bd33195d45f3f5441725eeeb942c3fd9c9dd468fe9c2e30a043fa34b00db403d18fb37d7dfb5d66ac4569b7fe2c89295248880b982ff9b3d379b2d6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	4004	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2480	WerFault.exe
Token: SeBackupPrivilege	2480	WerFault.exe
Token: SeDebugPrivilege	2480	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\sZ5JiFfRsBQ6Tku.exe
"C:\Users\Admin\AppData\Local\Temp\sZ5JiFfRsBQ6Tku.exe"
1⤵
PID:4004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1160
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-0-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2480-2-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download