5852518bca655111976a3d44d8418dac0fcdf45338a5a00e66a9e9d4d2dd6122 | Triage

Analysis

max time kernel
136s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 09:35

Sharing

Report Analysis Logs

General

Target

62a107.exe
Size

156KB
MD5

ddb0136ad007d0b77ca903688776dbc6
SHA1

f3d9ca6d33be62b382b3ed2446b733938cac5245
SHA256

5852518bca655111976a3d44d8418dac0fcdf45338a5a00e66a9e9d4d2dd6122
SHA512

088b2d10929c834f2b52016bb6df50b4eabc2cca4699fc052bf1113c6285946e72a53c69ac466221febef595e83f433117dd462746d0cd0f6645807b0a708b78

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2268 3944 WerFault.exe 62a107.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2268 WerFault.exe
Token: SeBackupPrivilege 2268 WerFault.exe
Token: SeDebugPrivilege 2268 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\62a107.exe
"C:\Users\Admin\AppData\Local\Temp\62a107.exe"
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2268-0-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download