8cd6c87a4d6f1e137838ccc3fc75bb90fe86aed076e39c9d987ef20d85b7efd2 | Triage

Analysis

max time kernel
130s
max time network
130s
platform
windows10_x64
resource
win10
submitted
13/07/2020, 11:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2020 Temmuz Ekstreniz.exe
Size

334KB
MD5

1260d45e5eab7175fce2444dbc9305bb
SHA1

cb01bab71870df40412872429d5a454e2f578ee5
SHA256

8cd6c87a4d6f1e137838ccc3fc75bb90fe86aed076e39c9d987ef20d85b7efd2
SHA512

6289613b5a1772c653e8092e565a3e725ec632449a68a4a7b84d479abc85e562557f1ceeeb201da7479fb555af8d1ee0f4309a5d327eb4a16c807fecf184d358

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3792	3588	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3792	WerFault.exe
Token: SeBackupPrivilege	3792	WerFault.exe
Token: SeDebugPrivilege	3792	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2020 Temmuz Ekstreniz.exe
"C:\Users\Admin\AppData\Local\Temp\2020 Temmuz Ekstreniz.exe"
1⤵
PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1136
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3792-0-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3792-1-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download