6e5534bae3f5c22467266cc1921253fded33437267b0f8b469bb17282c52a4f2 | Triage

Analysis

max time kernel
122s
max time network
117s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:25

Sharing

Report Analysis Logs

General

Target

WT0045679.exe
Size

348KB
MD5

62ed509fb1d4970cdce54f932c62f183
SHA1

a9ad23ec52ed7a577cc7e3ae3136b9386b29793c
SHA256

6e5534bae3f5c22467266cc1921253fded33437267b0f8b469bb17282c52a4f2
SHA512

bb72fe936402a70f7b6e7be9d0dfd80011e668a34cdad12b4407c4fa6f1f65e98b5766a2e693172cfbc7a4984910e50d255392b944d4931f73f27ae6ffb0a453

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2020 4060 WerFault.exe WT0045679.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2020 WerFault.exe
Token: SeBackupPrivilege 2020 WerFault.exe
Token: SeDebugPrivilege 2020 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\WT0045679.exe
"C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"
1⤵
PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-0-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download