37e2ca0ea6838887745d5f452aea15de2a0ea556a9095a87962c103489942e08 | Triage

Analysis

max time kernel
135s
max time network
107s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 19:04

Sharing

Report Analysis Logs

General

Target

fty.exe
Size

564KB
MD5

70e0f7eacd578fef1b19738934c8cc1e
SHA1

2c2734a866cac52b7e63c2cc5a982ae9dfb7435e
SHA256

37e2ca0ea6838887745d5f452aea15de2a0ea556a9095a87962c103489942e08
SHA512

2abd6d51a4aa132b2b64a9c4bf06134aacf489b1d82c458bfc5e12e04ff67eef511ffca0995c685209397c710120f99731de78aa7c6eb9530cfe5856f0ce226f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	3944	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2264	WerFault.exe
Token: SeBackupPrivilege	2264	WerFault.exe
Token: SeDebugPrivilege	2264	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fty.exe
"C:\Users\Admin\AppData\Local\Temp\fty.exe"
1⤵
PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 908
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2264-0-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download