e53201536387e3af2dbaa3ace93846f005cb8dce9164fca9133cb3a64f454a8d | Triage

Analysis

max time kernel
61s
max time network
112s
platform
windows10_x64
resource
win10
submitted
13-07-2020 11:38

Sharing

Report Analysis Logs

General

Target

WMC_catalogues and company profiles.exe
Size

561KB
MD5

6d5fcb31be21d09f26687817b099f0f9
SHA1

1f5342625aee1153d0b7cf6ac0e82cdfafa6ab6a
SHA256

e53201536387e3af2dbaa3ace93846f005cb8dce9164fca9133cb3a64f454a8d
SHA512

1c2d37753b6a4d023cce8114f32365d695edd229995efe0ea0e362202b8ec16f8eefec1969610ad0bed461009a1dead628f2db8bf9450f0d2f29706fa5725606

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3804	WerFault.exe
Token: SeBackupPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	3804	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3804	3692	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\WMC_catalogues and company profiles.exe
"C:\Users\Admin\AppData\Local\Temp\WMC_catalogues and company profiles.exe"
1⤵
PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1136
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3804-0-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3804-2-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download