7fb6e9a788b18806469167cf64458dd590122593a04489cf70bb70434905a246 | Triage

Analysis

max time kernel
119s
max time network
117s
platform
windows10_x64
resource
win10
submitted
14/07/2020, 13:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GSYJrJhEUVbUoZN.exe
Size

1003KB
MD5

a25c4a2a838811521034e121d502ed72
SHA1

5d81483df22eb8ad3b6b8198b63853f70f6d798b
SHA256

7fb6e9a788b18806469167cf64458dd590122593a04489cf70bb70434905a246
SHA512

889fbd8be7dda4d1dc69a498a96178b9992fb637460aaa54417b20a56cd9ab39c37f041e2c1997b873049fd157a6cd6edbf77be7a444076a5c803fd77b8d26b4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	3612	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2564	WerFault.exe
Token: SeBackupPrivilege	2564	WerFault.exe
Token: SeDebugPrivilege	2564	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\GSYJrJhEUVbUoZN.exe
"C:\Users\Admin\AppData\Local\Temp\GSYJrJhEUVbUoZN.exe"
1⤵
PID:3612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 908
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-0-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2564-1-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download