f91f135e5aecd2e2e8d81ac771475de147b858c1807bde08e47cdf68f545d8da | Triage

Analysis

max time kernel
138s
max time network
104s
platform
windows10_x64
resource
win10v200430
submitted
15/07/2020, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

lol.exe
Size

869KB
MD5

4a37a3769de56de4edcc8853d50e29e0
SHA1

77d87412145a994e30a6493e2fe9e272da22e713
SHA256

f91f135e5aecd2e2e8d81ac771475de147b858c1807bde08e47cdf68f545d8da
SHA512

683b64bcf31386048c0c7169fa020c8a6861ad9d142fa054afb6835f99480d88e0cd5d5f3a5343dde874e7624ceafcd09a63dccb2e3af9202b20af0f0cc055ef

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	3724	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2252	WerFault.exe
Token: SeBackupPrivilege	2252	WerFault.exe
Token: SeDebugPrivilege	2252	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
1⤵
PID:3724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 940
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2252-0-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download