96b854630806f4f57fa28534d9b478907db67c016bd606ba4b0d31af56f12d48 | Triage

Analysis

max time kernel
127s
max time network
150s
platform
windows10_x64
resource
win10v200430
submitted
15/07/2020, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

088021ord_#PO.exe
Size

1.4MB
MD5

300ba4035c456e004ebd91feec81e2f2
SHA1

89aed8ca31e2c3ec2208d3b82151e13a2fdbf812
SHA256

96b854630806f4f57fa28534d9b478907db67c016bd606ba4b0d31af56f12d48
SHA512

86d61cec3d44a1b0b9aed4cfde05a79aaf3dd798280d96dec4f7f3acc8800a06ae9a57ce2373d4ff9926b9ea86e9c3f8879e1bf1ef376f3ff65de50941b93203

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3692	1612	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3692	WerFault.exe
Token: SeBackupPrivilege	3692	WerFault.exe
Token: SeDebugPrivilege	3692	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\088021ord_#PO.exe
"C:\Users\Admin\AppData\Local\Temp\088021ord_#PO.exe"
1⤵
PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 944
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3692-0-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3692-1-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3692-3-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download