edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727 | Triage

Analysis

max time kernel
142s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 06:09

Sharing

Report Analysis Logs

General

Target

edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727.exe
Size

154KB
MD5

d8ac268c14e3fec94e2e5d8b4bcb2b10
SHA1

e35f41e58941b087e60e861067bbe98673b98185
SHA256

edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727
SHA512

c316d05bf2ddf3af51fc051f2ecfa1e422894003a16b6301f10ff7ea05aff7c9bb889b4d5ceb7f9343ea4c532a79f7774dd212e764e2119fc5ebad4941f4e5e7

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2236	WerFault.exe
Token: SeBackupPrivilege	2236	WerFault.exe
Token: SeDebugPrivilege	2236	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2236	4004	WerFault.exe	65

C:\Users\Admin\AppData\Local\Temp\edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727.exe
"C:\Users\Admin\AppData\Local\Temp\edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727.exe"
1⤵
PID:4004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1140
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:2236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-0-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download