5852518bca655111976a3d44d8418dac0fcdf45338a5a00e66a9e9d4d2dd6122 | Triage

Analysis

max time kernel
136s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
13/07/2020, 09:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62a107.exe
Size

156KB
MD5

ddb0136ad007d0b77ca903688776dbc6
SHA1

f3d9ca6d33be62b382b3ed2446b733938cac5245
SHA256

5852518bca655111976a3d44d8418dac0fcdf45338a5a00e66a9e9d4d2dd6122
SHA512

088b2d10929c834f2b52016bb6df50b4eabc2cca4699fc052bf1113c6285946e72a53c69ac466221febef595e83f433117dd462746d0cd0f6645807b0a708b78

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	3944	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2268	WerFault.exe
Token: SeBackupPrivilege	2268	WerFault.exe
Token: SeDebugPrivilege	2268	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\62a107.exe
"C:\Users\Admin\AppData\Local\Temp\62a107.exe"
1⤵
PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2268-0-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download