3d4f85aa3d78db4a67194188821fa0f6993d66b308a70c67e2bb052fe59d1f2c | Triage

Analysis

max time kernel
145s
max time network
147s
platform
windows10_x64
resource
win10
submitted
14/07/2020, 13:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3mg2ZaPd1aKUUrZ.exe
Size

1.1MB
MD5

b2772719d63317c9c1ce101c26df5d6e
SHA1

0c8a6d3e283e966bb099ae742969f0e163d8ee57
SHA256

3d4f85aa3d78db4a67194188821fa0f6993d66b308a70c67e2bb052fe59d1f2c
SHA512

1d64f5bf1c672ba2c4f6f604b3ce1d34a729cc058a19e57b1ff92e6a611df66dd80a708ae16e541e874b7428fd9a2b61a8c14f785bdb705067c7d02c2947daf9

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3844	2460	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3844	WerFault.exe
Token: SeBackupPrivilege	3844	WerFault.exe
Token: SeDebugPrivilege	3844	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3mg2ZaPd1aKUUrZ.exe
"C:\Users\Admin\AppData\Local\Temp\3mg2ZaPd1aKUUrZ.exe"
1⤵
PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 908
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3844-0-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/3844-1-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/3844-3-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download