caf1d4f374de0479bc4ca6caa289cfc35720779080a2957aab92ba4fc1602e6c | Triage

Analysis

max time kernel
135s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
11-07-2020 06:17

Sharing

Report Analysis Logs

General

Target

7CzjGIK5znX0kpa.exe
Size

502KB
MD5

9e6da1d360e74959a1665f5027bd5d22
SHA1

5157da7428751f7f45fb51c18f0692b64a47dfb5
SHA256

caf1d4f374de0479bc4ca6caa289cfc35720779080a2957aab92ba4fc1602e6c
SHA512

a995a581ab8cd8198fe4d901f6a800d2cc359fc1a08fefc40b164d86482185226e00ac2ed8adaa457acb13aff07ed03ea30381c4edc819bfc3526f9d3ba3ddbe

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2804	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2768	WerFault.exe
Token: SeBackupPrivilege	2768	WerFault.exe
Token: SeDebugPrivilege	2768	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7CzjGIK5znX0kpa.exe
"C:\Users\Admin\AppData\Local\Temp\7CzjGIK5znX0kpa.exe"
1⤵
PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 924
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2768-0-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2768-2-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download