0b5b880307bbb0233d7acf9685b9ef0d596657c4a52b6096f998689d743ec168 | Triage

Analysis

max time kernel
124s
max time network
147s
platform
windows10_x64
resource
win10v200430
submitted
13/07/2020, 17:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

63KB
MD5

807e68132cc9f6def300da6cd8c6417c
SHA1

da00155621e459ecbb2b7cebe8ca4e2137b4ee76
SHA256

0b5b880307bbb0233d7acf9685b9ef0d596657c4a52b6096f998689d743ec168
SHA512

5c782232964e68ec00e89c8f6bfc17c9d57d7978a4fb7c6b36d878a61c48aaf8ee01c2ffb80857bb2866a387e9ee840fddb88f034dbda29a81240d2906146fcd

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1344	2536	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1344	WerFault.exe
Token: SeBackupPrivilege	1344	WerFault.exe
Token: SeDebugPrivilege	1344	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
PID:2536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 564
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-0-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1344-1-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download