deb000698f0c002307d6afbb61195804c955ae5b1141a1a1657ce0c5c1911e98 | Triage

Analysis

max time kernel
147s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
13/07/2020, 06:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

pzfKBUp9OK3KBEV.exe
Size

401KB
MD5

96fb94b8946efa330fa527dafbe56813
SHA1

63ae0fa193b86da066af6a2b7e90e64e4b5661ec
SHA256

deb000698f0c002307d6afbb61195804c955ae5b1141a1a1657ce0c5c1911e98
SHA512

ef011685bce609e2477fd74043009061dc1bdca2132c23cf6eff0d8212e6373e5b32a29fa2434e2735cd661ed4542a29297ce564cd9144fc6418fedebb619bd8

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	3768	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	WerFault.exe
Token: SeBackupPrivilege	2468	WerFault.exe
Token: SeDebugPrivilege	2468	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\pzfKBUp9OK3KBEV.exe
"C:\Users\Admin\AppData\Local\Temp\pzfKBUp9OK3KBEV.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download