eaf233924580f52342e12c63fd6a33ec5db002b85a20b26a3e7534147d292bc5 | Triage

Analysis

max time kernel
147s
max time network
98s
platform
windows10_x64
resource
win10v200430
submitted
14/07/2020, 13:30

Sharing

Report Analysis Logs

General

Target

10ZYpleV7XW12Qh.exe
Size

1.1MB
MD5

ca9cd6a5da6c838ae42b7fb8b0e66462
SHA1

1f48422dc91327ac3a2f5a4e770c4a3406037dca
SHA256

eaf233924580f52342e12c63fd6a33ec5db002b85a20b26a3e7534147d292bc5
SHA512

9ab9fed49a60f1f5801176b66db4ca45a8f1dee92b6fcd86462e2fdadaa703a32cbf16e49d4f97348c7e406fe30723c3409bc0cd750e90362747ebbfb76c4da3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	3768	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	WerFault.exe
Token: SeBackupPrivilege	2468	WerFault.exe
Token: SeDebugPrivilege	2468	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\10ZYpleV7XW12Qh.exe
"C:\Users\Admin\AppData\Local\Temp\10ZYpleV7XW12Qh.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 912
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download