de083ffcc44c047fbf9a4938aca158f47045b9ee3ce98ce7b24202422fca3396 | Triage

Analysis

max time kernel
128s
max time network
132s
platform
windows10_x64
resource
win10
submitted
13-07-2020 11:58

Sharing

Report Analysis Logs

General

Target

file.exe
Size

765KB
MD5

2254eea10e2cb5e29c09bf28170c2e69
SHA1

566257811fb1b9b99304933b10b49c74e7038bbf
SHA256

de083ffcc44c047fbf9a4938aca158f47045b9ee3ce98ce7b24202422fca3396
SHA512

136237a1f634f32bde0048ef5be59b88a3f356b7ede4493f03e0a67ba1324e9e9223a02fec52695e7db8cfe5e02211d87d8bf0550a51d1b1837b2bba67f39562

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe
3940	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3940	3304	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3940	WerFault.exe
Token: SeBackupPrivilege	3940	WerFault.exe
Token: SeDebugPrivilege	3940	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
PID:3304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1136
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3940-0-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/3940-1-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download