56db6f69bbc36e0758d7e5e1cce28ddc57f3eec355a36c1b9170d509780a4c2e | Triage

Analysis

max time kernel
124s
max time network
146s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 19:19

Sharing

Report Analysis Logs

General

Target

1nkjH2Sua25O2db.exe
Size

470KB
MD5

627579f1dcbc328a55c2fce2aee91a73
SHA1

637ea6d55398f30f13d3c2c7ab2d60dc0d8d6b8d
SHA256

56db6f69bbc36e0758d7e5e1cce28ddc57f3eec355a36c1b9170d509780a4c2e
SHA512

e8e5f99e89f0b5f17f8e9069d0e4d084f264fc1fed10272661c7fefd8774735e1f9272b20245e76a2ddb6f80cbab0ece9dee7493ef976b8314a57b8e2d6d25e1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	972	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2664	WerFault.exe
Token: SeBackupPrivilege	2664	WerFault.exe
Token: SeDebugPrivilege	2664	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe
"C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe"
1⤵
PID:972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 912
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2664-0-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download