6fae5955bfeac6e762f65fabedb2be2fdcd385347e6b9db19825096ee2ebd9a1 | Triage

Analysis

max time kernel
147s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
13/07/2020, 11:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

YdvJnnnDX0FUKjI.exe
Size

290KB
MD5

1795c0e7a5c67752a3e13c5a0f6ce9af
SHA1

509635b13636a2b0dc5308270fbabfdfa4e0a020
SHA256

6fae5955bfeac6e762f65fabedb2be2fdcd385347e6b9db19825096ee2ebd9a1
SHA512

ed7384717a3c6c63b53188b73a46c57058f4bd327c14fb11f23ae7e8c42cf7f63a7e0aef6914cc08301b4615d3f3d9d87c56037a37e4e57269e63703d53683d2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	3768	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2492	WerFault.exe
Token: SeBackupPrivilege	2492	WerFault.exe
Token: SeDebugPrivilege	2492	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\YdvJnnnDX0FUKjI.exe
"C:\Users\Admin\AppData\Local\Temp\YdvJnnnDX0FUKjI.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-0-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download