0a8a4c3e09dd9ea5652a1388c395ed0707e6e2c370fa0fa288f71da425022464 | Triage

Analysis

max time kernel
121s
max time network
117s
platform
windows10_x64
resource
win10
submitted
10-07-2020 07:35

Sharing

Report Analysis Logs

General

Target

gunzipped.exe
Size

546KB
MD5

da020d0c54734d21d96efd3b05cafc0b
SHA1

1ef4a1601984ed3eeffcaa15ecaec7ded28f7ebd
SHA256

0a8a4c3e09dd9ea5652a1388c395ed0707e6e2c370fa0fa288f71da425022464
SHA512

233816b405f65db45ef67ddac66e16746d341ebd53c6ab289f5ef19ded128eb82631cf2f6a9593771a71bdf564a2c667b4088cba43524c480ce6ba6ad2c352b9

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3344 976 WerFault.exe gunzipped.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe
3344	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3344 WerFault.exe
Token: SeBackupPrivilege 3344 WerFault.exe
Token: SeDebugPrivilege 3344 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 912
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3344-0-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3344-1-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download