1585d935d47ff234d4b9a71e4f30d0731677d06f430894496c58153011bb90b7 | Triage

Analysis

max time kernel
65s
max time network
110s
platform
windows10_x64
resource
win10
submitted
16-07-2020 08:00

Sharing

Report Analysis Logs

General

Target

gunzipped.exe
Size

565KB
MD5

d1c3278d317750fbd5a9dcae7de2e27c
SHA1

b7815150d40c9caaed7ff338b3f2864b3ade1a2f
SHA256

1585d935d47ff234d4b9a71e4f30d0731677d06f430894496c58153011bb90b7
SHA512

c1b57af1776c54dd24c1fa8009bef08a79e6e82112985685d6a1fa4a1988783d1ab450c4ba1e13e25ea55d5cc7298b056a05ed7520ea5ed57058b9b47bb78c34

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3968	2976	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3968	WerFault.exe
Token: SeBackupPrivilege	3968	WerFault.exe
Token: SeDebugPrivilege	3968	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
1⤵
PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 908
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3968-0-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/3968-2-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download