8afd97ec2b6815e45a6016caf6b63456c5f9c18288a146d01d3829f40fa57e44 | Triage

Analysis

max time kernel
64s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 08:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

jBLDo.exe
Size

452KB
MD5

7e00a1a895ef9cc2f36a125fe65d06fc
SHA1

83b6e97d378c41cc3b0024d613c61ffbe76f6343
SHA256

8afd97ec2b6815e45a6016caf6b63456c5f9c18288a146d01d3829f40fa57e44
SHA512

fe353c4f9406de60328af75836a6d32212b6d6a417f7db803d7dbe7d3de0c52dda2829a979c4f086b8ada952ac3acfee1595a40bf7c332853d580b6b34c247ab

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2164	1008	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2164	WerFault.exe
Token: SeBackupPrivilege	2164	WerFault.exe
Token: SeDebugPrivilege	2164	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\jBLDo.exe
"C:\Users\Admin\AppData\Local\Temp\jBLDo.exe"
1⤵
PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1140
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-0-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download