aa7cf195c540803383a53aef054355871842e7ff152e96e4a838d07d3bbc6de1 | Triage

Analysis

max time kernel
135s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 13:26

Sharing

Report Analysis Logs

General

Target

bensway.exe
Size

514KB
MD5

5d9719175e0d6962872c124a994e5ee1
SHA1

98c0f01798e360dfbeb1b79f489ab504202911f6
SHA256

aa7cf195c540803383a53aef054355871842e7ff152e96e4a838d07d3bbc6de1
SHA512

d2d54a238d3e97979740dfd522434b234d8730f7c1688a6b47c207cee04de14fabe25772ea2ae17e4bc5b24d8c9ae98e6832740a40455b5ee4b7947bfd6e3eaa

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2164	3844	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2164	WerFault.exe
Token: SeBackupPrivilege	2164	WerFault.exe
Token: SeDebugPrivilege	2164	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bensway.exe
"C:\Users\Admin\AppData\Local\Temp\bensway.exe"
1⤵
PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 916
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-0-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download