20cbb283cb7afb5d8fa52a8d3ec9de554015d2194891f852c089c584fb7834f1 | Triage

Analysis

max time kernel
136s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 16:11

Sharing

Report Analysis Logs

General

Target

PO-0561.exe
Size

738KB
MD5

2184af28a35fa82fd8a4d068e8326fcd
SHA1

3ef6f147af1c1f626f6ad3f96e5d3f649d396e4f
SHA256

20cbb283cb7afb5d8fa52a8d3ec9de554015d2194891f852c089c584fb7834f1
SHA512

e651d151515a60387952a3dbbd30d9a9575b4e7eb9b1c3095743abcecf2ad67a2d5685ae3aa77fb3f393c9a0e9f5bcd839a21145ea9861a97068ffc9e2c6d497

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	3944	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2128	WerFault.exe
Token: SeBackupPrivilege	2128	WerFault.exe
Token: SeDebugPrivilege	2128	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO-0561.exe
"C:\Users\Admin\AppData\Local\Temp\PO-0561.exe"
1⤵
PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 896
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-0-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2128-2-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download