d32e0d534634c106e906ffb62e5485bca9ee6023eafc3acf6777f1c48d9f8952 | Triage

Analysis

max time kernel
137s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
13/07/2020, 09:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2929a107.exe
Size

156KB
MD5

16c0db7429d6dc0e88fc5cc50863ad88
SHA1

c0259e1e3a715c34cd7b6bb678dd4ed34decfc71
SHA256

d32e0d534634c106e906ffb62e5485bca9ee6023eafc3acf6777f1c48d9f8952
SHA512

a073a343c2ac19d3223d73b841cfd079dc3f33a56e654ea9c34d0c4836678363421b4b04f480c58af38edf9a7211481509cc676e0881a6687c05823061bb5b84

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	640	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2828	WerFault.exe
Token: SeBackupPrivilege	2828	WerFault.exe
Token: SeDebugPrivilege	2828	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2929a107.exe
"C:\Users\Admin\AppData\Local\Temp\2929a107.exe"
1⤵
PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2828-0-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/2828-1-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download