9c1f76b540f055b2b6131cde2f6896e73f3e0170070c0551d90d20364156d32c | Triage

Analysis

max time kernel
75s
max time network
146s
platform
windows10_x64
resource
win10
submitted
10-07-2020 17:42

Sharing

Report Analysis Logs

General

Target

Image001.exe
Size

652KB
MD5

9ad127f4f4d28ea19395cb16c194f23d
SHA1

21ce15a2f1ee49d7420ea368e51cf92b61028a4c
SHA256

9c1f76b540f055b2b6131cde2f6896e73f3e0170070c0551d90d20364156d32c
SHA512

b3e6f896c4d0747e0d575b1abc63eb96eb0cd791bce21275c44b58731494fa143f1ba03ea6185ee1d3c25366c32e8b26bdefdd4624f0f9780e3e8fcc64665d13

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3004 748 WerFault.exe Image001.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3004 WerFault.exe
Token: SeBackupPrivilege 3004 WerFault.exe
Token: SeDebugPrivilege 3004 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Image001.exe
"C:\Users\Admin\AppData\Local\Temp\Image001.exe"
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 900
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-0-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3004-2-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download