2474c1ce1d299fd2234e7b10f6e464861151bf53e68f15a2a944dbeb56e5e0e9 | Triage

Analysis

max time kernel
134s
max time network
137s
platform
windows10_x64
resource
win10
submitted
10-07-2020 05:10

Sharing

Report Analysis Logs

General

Target

9a31a01f8e6fd171bc5e6bcdba4ef0c4.exe
Size

1.0MB
MD5

9a31a01f8e6fd171bc5e6bcdba4ef0c4
SHA1

6bac9e69835450235fa6ff9580f3c35a46df526b
SHA256

2474c1ce1d299fd2234e7b10f6e464861151bf53e68f15a2a944dbeb56e5e0e9
SHA512

d162b78512cb5890fdb42c7ae595c10fe37e362d733d1d9f114a1fae6aeec89fcfd3458dbc2d879c48710d04134a877d7bfea01b031a79e0b528a9d1157aa71a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3784 3708 WerFault.exe 9a31a01f8e6fd171bc5e6bcdba4ef0c4.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3784 WerFault.exe
Token: SeBackupPrivilege 3784 WerFault.exe
Token: SeDebugPrivilege 3784 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9a31a01f8e6fd171bc5e6bcdba4ef0c4.exe
"C:\Users\Admin\AppData\Local\Temp\9a31a01f8e6fd171bc5e6bcdba4ef0c4.exe"
1⤵
PID:3708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 912
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3784-0-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/3784-1-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download