a3d73a97079478583fb8ec8e057635547d2895bcd59f57df145386c29657ea75 | Triage

Analysis

max time kernel
135s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 09:35

Sharing

Report Analysis Logs

General

Target

260vv53.exe
Size

156KB
MD5

8034076d1c34a8d5b4e1acf4f83889a6
SHA1

3424ee732f4bbe41d977ad59cd6d8f4235385095
SHA256

a3d73a97079478583fb8ec8e057635547d2895bcd59f57df145386c29657ea75
SHA512

2fad11b1433b11c659eefde8ca0ee22db93fbd65f089080402d3c0185787135638484b307b9bbd553034ca36cfbd14f669e785dc754db4b0cd236bdd74cc6edc

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	2804	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2764	WerFault.exe
Token: SeBackupPrivilege	2764	WerFault.exe
Token: SeDebugPrivilege	2764	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\260vv53.exe
"C:\Users\Admin\AppData\Local\Temp\260vv53.exe"
1⤵
PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2764-0-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2764-1-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download