3e1948c266a9b1c6818e5136b021fb7146f334912fa4a3975343479062f45b35 | Triage

Analysis

max time kernel
147s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 05:09

Sharing

Report Analysis Logs

General

Target

MCB-87669.exe
Size

684KB
MD5

70c4d5c030027ad6717effc742a99b4a
SHA1

65de3bee4d4643c937607df4ddb1ecc3ad01929f
SHA256

3e1948c266a9b1c6818e5136b021fb7146f334912fa4a3975343479062f45b35
SHA512

b023cc113871b94fcbe7b7b00baed402167205bc4206010a34eb7305b8fd984fe176d3a0bf5219cc722605ea7d3dce6b77193f62993f7119a0841b7b8e41c310

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	3768	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2492	WerFault.exe
Token: SeBackupPrivilege	2492	WerFault.exe
Token: SeDebugPrivilege	2492	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\MCB-87669.exe
"C:\Users\Admin\AppData\Local\Temp\MCB-87669.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 920
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-0-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download