04c7c046518196b6b88e6b3860d870e1ad21728353d8e73f23a9276a1a5e211f | Triage

Analysis

max time kernel
124s
max time network
147s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 06:51

Sharing

Report Analysis Logs

General

Target

8100OJ.exe
Size

1.7MB
MD5

bfbdaa4f58a5fb04b5ebd07df65d794c
SHA1

626c24e885bca21d7da4f74aabb55e1e6b737a76
SHA256

04c7c046518196b6b88e6b3860d870e1ad21728353d8e73f23a9276a1a5e211f
SHA512

5793ce56e85b502d20ab43e7d30b5188063cf743b160c385fe85290522a925ad745e10691513ab7014204d93729c22e275bce76313a33c9d19fcdbad4b1f2847

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	2040	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2040	8100OJ.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	8100OJ.exe
Token: SeRestorePrivilege	2492	WerFault.exe
Token: SeBackupPrivilege	2492	WerFault.exe
Token: SeDebugPrivilege	2492	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8100OJ.exe
"C:\Users\Admin\AppData\Local\Temp\8100OJ.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1292
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-0-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2492-3-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download