deb000698f0c002307d6afbb61195804c955ae5b1141a1a1657ce0c5c1911e98 | Triage

Analysis

max time kernel
147s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 06:33

Sharing

Report Analysis Logs

General

Target

pzfKBUp9OK3KBEV.exe
Size

401KB
MD5

96fb94b8946efa330fa527dafbe56813
SHA1

63ae0fa193b86da066af6a2b7e90e64e4b5661ec
SHA256

deb000698f0c002307d6afbb61195804c955ae5b1141a1a1657ce0c5c1911e98
SHA512

ef011685bce609e2477fd74043009061dc1bdca2132c23cf6eff0d8212e6373e5b32a29fa2434e2735cd661ed4542a29297ce564cd9144fc6418fedebb619bd8

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2468 3768 WerFault.exe pzfKBUp9OK3KBEV.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2468 WerFault.exe
Token: SeBackupPrivilege 2468 WerFault.exe
Token: SeDebugPrivilege 2468 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\pzfKBUp9OK3KBEV.exe
"C:\Users\Admin\AppData\Local\Temp\pzfKBUp9OK3KBEV.exe"
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1140
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download