b65f542c74ced21ba853b4840f0cfad311027e518b1c3925bd530a2da424293c | Triage

Analysis

max time kernel
122s
max time network
117s
platform
windows10_x64
resource
win10
submitted
16-07-2020 03:11

Sharing

Report Analysis Logs

General

Target

PO.exe
Size

1.3MB
MD5

911cfe476937e7f4aad553bc0814e802
SHA1

0e8b839716a75991db3f26c5c768059f1aaff27e
SHA256

b65f542c74ced21ba853b4840f0cfad311027e518b1c3925bd530a2da424293c
SHA512

024749dbe0672625ced0f2e9b2039ba20d4b6f9ef4d5342678773b309e340f93769f081962fece7b2eed4774b0e1869801e0e773a353949c073a89b1d28da1ad

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3860	3104	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe
3860	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3860	WerFault.exe
Token: SeBackupPrivilege	3860	WerFault.exe
Token: SeDebugPrivilege	3860	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
1⤵
PID:3104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 936
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3860-0-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/3860-1-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/3860-3-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download