1f6648f6fd581ed57b9566f4eb942687aaa6401baba93ed7c287933c7d3d6ab1 | Triage

Analysis

max time kernel
68s
max time network
119s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:34

Sharing

Report Analysis Logs

General

Target

b9ad9d623e05bfa11124ab8b54c74fbd.exe
Size

324KB
MD5

b9ad9d623e05bfa11124ab8b54c74fbd
SHA1

ed51c11b5170b1860f8935d6af82dde8b4a38f85
SHA256

1f6648f6fd581ed57b9566f4eb942687aaa6401baba93ed7c287933c7d3d6ab1
SHA512

bb82af31337a939d1af30668876095e205341180ef0bf800fd5d8789a2fe1663f38ffa00be76d017029b6c54c7b1364bf60f58ba8373fc88e001697a3e99bfd0

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3812 1536 WerFault.exe b9ad9d623e05bfa11124ab8b54c74fbd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3812 WerFault.exe
Token: SeBackupPrivilege 3812 WerFault.exe
Token: SeDebugPrivilege 3812 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b9ad9d623e05bfa11124ab8b54c74fbd.exe
"C:\Users\Admin\AppData\Local\Temp\b9ad9d623e05bfa11124ab8b54c74fbd.exe"
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1140
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3812-0-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/3812-1-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download