1f6648f6fd581ed57b9566f4eb942687aaa6401baba93ed7c287933c7d3d6ab1 | Triage

Analysis

max time kernel
68s
max time network
119s
platform
windows10_x64
resource
win10
submitted
13/07/2020, 06:34

Sharing

Report Analysis Logs

General

Target

b9ad9d623e05bfa11124ab8b54c74fbd.exe
Size

324KB
MD5

b9ad9d623e05bfa11124ab8b54c74fbd
SHA1

ed51c11b5170b1860f8935d6af82dde8b4a38f85
SHA256

1f6648f6fd581ed57b9566f4eb942687aaa6401baba93ed7c287933c7d3d6ab1
SHA512

bb82af31337a939d1af30668876095e205341180ef0bf800fd5d8789a2fe1663f38ffa00be76d017029b6c54c7b1364bf60f58ba8373fc88e001697a3e99bfd0

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	1536	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3812	WerFault.exe
Token: SeBackupPrivilege	3812	WerFault.exe
Token: SeDebugPrivilege	3812	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b9ad9d623e05bfa11124ab8b54c74fbd.exe
"C:\Users\Admin\AppData\Local\Temp\b9ad9d623e05bfa11124ab8b54c74fbd.exe"
1⤵
PID:1536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3812-0-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/3812-1-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download