3b13bf8c3de862a6914cf5a9eb0539e0046faf3e62e7d2f0fb63001e8dd2b5a3 | Triage

Analysis

max time kernel
116s
max time network
124s
platform
windows10_x64
resource
win10
submitted
13-07-2020 11:22

Sharing

Report Analysis Logs

General

Target

32027444.jpg.exe
Size

340KB
MD5

b5552041f02602b6fa8faa9ccd590ea2
SHA1

21e742f91ab44673f5cc14b82c18f359a127c670
SHA256

3b13bf8c3de862a6914cf5a9eb0539e0046faf3e62e7d2f0fb63001e8dd2b5a3
SHA512

124867cbf5d87fc077ed2537f71f47311064ab64558bf5dac59e27acc8ef3e7f372cf307e90da313ebb8864d246f418f9e45efeefd11a5bd945501ffd0558e9f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3168	3404	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3168	WerFault.exe
Token: SeBackupPrivilege	3168	WerFault.exe
Token: SeDebugPrivilege	3168	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\32027444.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\32027444.jpg.exe"
1⤵
PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3168-0-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3168-1-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/3168-2-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download