0997df6c23c47188146000e04ad399b7ccfdbe3e9cfceed18b232b712088adee | Triage

Analysis

max time kernel
122s
max time network
119s
platform
windows10_x64
resource
win10
submitted
15-07-2020 13:05

Sharing

Report Analysis Logs

General

Target

PO.exe
Size

363KB
MD5

03a9449ae7b7d6b49034ffc0355540ec
SHA1

d0a4f8207905ed65aca2cfc812dbd1f0b6849ebc
SHA256

0997df6c23c47188146000e04ad399b7ccfdbe3e9cfceed18b232b712088adee
SHA512

fa9df0cd4e07e9a9295a4a272ee99ca95f02ff5ed02d1daada1ae79509b044581ecd80c60651595ffc5b077bdfe9cb08d05683748afb9fa8ee803c3b602b795d

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3892	344	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3892	WerFault.exe
Token: SeBackupPrivilege	3892	WerFault.exe
Token: SeDebugPrivilege	3892	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
1⤵
PID:344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 1112
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-0-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/3892-1-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download