744b624507df8e9bccf72af6cc834130ad75deb8c1beff8084cd101605c8eec1 | Triage

Analysis

max time kernel
65s
max time network
92s
platform
windows10_x64
resource
win10
submitted
10/07/2020, 07:06

Sharing

Report Analysis Logs

General

Target

po=593624.exe
Size

410KB
MD5

ba0ebf1fef1d06e21378af70a1e8babe
SHA1

b0d07ccd59b84569841d2aa3a0529cedb7d7ecc4
SHA256

744b624507df8e9bccf72af6cc834130ad75deb8c1beff8084cd101605c8eec1
SHA512

ce49bc92c10916afbc9f7c8bc1d9c34184f674f62f03ac02b600c335aec5873c4dcaaa6dd275f539bafa088f8ae79dd197269c85bb7b59e8b3598c8c0ed5954a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3824	3104	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3824	WerFault.exe
Token: SeBackupPrivilege	3824	WerFault.exe
Token: SeDebugPrivilege	3824	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\po=593624.exe
"C:\Users\Admin\AppData\Local\Temp\po=593624.exe"
1⤵
PID:3104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 912
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3824-0-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3824-1-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download