32299b31508d3573355dbee08ac526382cd90fbe5026335c5f8917ab34c02177 | Triage

Analysis

max time kernel
129s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 06:32

Sharing

Report Analysis Logs

General

Target

518202380100091.exe
Size

342KB
MD5

7d6ce76d6c678a9813eb2a778c79eaaf
SHA1

fd1e624cf11084fb645f08e820245b2b2e306927
SHA256

32299b31508d3573355dbee08ac526382cd90fbe5026335c5f8917ab34c02177
SHA512

0f14e3ca337ed82d48823020e1666ce4a9f601f2122824cf798d89563e90782b5903e1403d42a03b3321c912e107ac11116baf1c039dc376b05c21cd0ffcc7ec

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2168 1828 WerFault.exe 518202380100091.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2168 WerFault.exe
Token: SeBackupPrivilege 2168 WerFault.exe
Token: SeDebugPrivilege 2168 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\518202380100091.exe
"C:\Users\Admin\AppData\Local\Temp\518202380100091.exe"
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1136
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-0-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download