92276f87f48836d141ee02c8b6f75398ded9a3e4b12b84441e3125933af6c755 | Triage

Analysis

max time kernel
67s
max time network
90s
platform
windows10_x64
resource
win10
submitted
14/07/2020, 13:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

gYMDqZk9NvACog9.exe
Size

901KB
MD5

a49788f4389f09f209c66e798acc4341
SHA1

17909c880885433b7054ae36d1839b5e3cd2a0cf
SHA256

92276f87f48836d141ee02c8b6f75398ded9a3e4b12b84441e3125933af6c755
SHA512

51c5b561617e6f37d2863f5b17873186c9e8a69cf888c687d75a71395f3d1e42accca5172b1ad14acdcf66e99c1df3ca57f198f6d73107c9f357508d37520760

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3792	3536	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3792	WerFault.exe
Token: SeBackupPrivilege	3792	WerFault.exe
Token: SeDebugPrivilege	3792	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\gYMDqZk9NvACog9.exe
"C:\Users\Admin\AppData\Local\Temp\gYMDqZk9NvACog9.exe"
1⤵
PID:3536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 908
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3792-0-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/3792-1-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download