744b624507df8e9bccf72af6cc834130ad75deb8c1beff8084cd101605c8eec1 | Triage

Analysis

max time kernel
65s
max time network
92s
platform
windows10_x64
resource
win10
submitted
10-07-2020 07:06

Sharing

Report Analysis Logs

General

Target

po=593624.exe
Size

410KB
MD5

ba0ebf1fef1d06e21378af70a1e8babe
SHA1

b0d07ccd59b84569841d2aa3a0529cedb7d7ecc4
SHA256

744b624507df8e9bccf72af6cc834130ad75deb8c1beff8084cd101605c8eec1
SHA512

ce49bc92c10916afbc9f7c8bc1d9c34184f674f62f03ac02b600c335aec5873c4dcaaa6dd275f539bafa088f8ae79dd197269c85bb7b59e8b3598c8c0ed5954a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3824 3104 WerFault.exe po=593624.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3824 WerFault.exe
Token: SeBackupPrivilege 3824 WerFault.exe
Token: SeDebugPrivilege 3824 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\po=593624.exe
"C:\Users\Admin\AppData\Local\Temp\po=593624.exe"
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 912
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3824-0-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3824-1-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download