a4871c9770bdd0f9454e689411f3ffb3267913568b49f6457d681470770fa92e | Triage

Analysis

max time kernel
135s
max time network
103s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 06:21

Sharing

Report Analysis Logs

General

Target

PO_28710.exe
Size

336KB
MD5

f8f69c2faaab1037af50f7a03df68db8
SHA1

2ae923b73f2c3bd8064217cfb79aa015f2610a93
SHA256

a4871c9770bdd0f9454e689411f3ffb3267913568b49f6457d681470770fa92e
SHA512

36b39d6f515e76a281038c2cc1d9b92bdf98490372c35a13971e87f9f95cb6860f6f9f71ab14f1f43dc64597fdb93eea77bb2b1677e0bbfe818d3016e110e047

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2796 896 WerFault.exe PO_28710.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2796 WerFault.exe
Token: SeBackupPrivilege 2796 WerFault.exe
Token: SeDebugPrivilege 2796 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO_28710.exe
"C:\Users\Admin\AppData\Local\Temp\PO_28710.exe"
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1140
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-0-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2796-2-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download