8afd97ec2b6815e45a6016caf6b63456c5f9c18288a146d01d3829f40fa57e44 | Triage

Analysis

max time kernel
64s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 08:58

Sharing

Report Analysis Logs

General

Target

jBLDo.exe
Size

452KB
MD5

7e00a1a895ef9cc2f36a125fe65d06fc
SHA1

83b6e97d378c41cc3b0024d613c61ffbe76f6343
SHA256

8afd97ec2b6815e45a6016caf6b63456c5f9c18288a146d01d3829f40fa57e44
SHA512

fe353c4f9406de60328af75836a6d32212b6d6a417f7db803d7dbe7d3de0c52dda2829a979c4f086b8ada952ac3acfee1595a40bf7c332853d580b6b34c247ab

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2164 1008 WerFault.exe jBLDo.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2164 WerFault.exe
Token: SeBackupPrivilege 2164 WerFault.exe
Token: SeDebugPrivilege 2164 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\jBLDo.exe
"C:\Users\Admin\AppData\Local\Temp\jBLDo.exe"
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1140
2⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-0-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download