3e1948c266a9b1c6818e5136b021fb7146f334912fa4a3975343479062f45b35 | Triage

Analysis

max time kernel
147s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 05:09

Sharing

Report Analysis Logs

General

Target

MCB-87669.exe
Size

684KB
MD5

70c4d5c030027ad6717effc742a99b4a
SHA1

65de3bee4d4643c937607df4ddb1ecc3ad01929f
SHA256

3e1948c266a9b1c6818e5136b021fb7146f334912fa4a3975343479062f45b35
SHA512

b023cc113871b94fcbe7b7b00baed402167205bc4206010a34eb7305b8fd984fe176d3a0bf5219cc722605ea7d3dce6b77193f62993f7119a0841b7b8e41c310

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2492 3768 WerFault.exe MCB-87669.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2492 WerFault.exe
Token: SeBackupPrivilege 2492 WerFault.exe
Token: SeDebugPrivilege 2492 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\MCB-87669.exe
"C:\Users\Admin\AppData\Local\Temp\MCB-87669.exe"
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 920
2⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-0-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download