0e1398abdfa85e32529125bf46eca2248faa7baa07f114ead8e310fc05a73beb | Triage

Analysis

max time kernel
142s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
16/07/2020, 06:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO-7890374.exe
Size

488KB
MD5

e9578b76923aaf0ef5c6ddd29f04c44b
SHA1

fd105ad0cfaac1465e7773e1f5a98a4bdc9ab7d9
SHA256

0e1398abdfa85e32529125bf46eca2248faa7baa07f114ead8e310fc05a73beb
SHA512

fb064a5aad513cf8650d03b716e0502a920779a9c2f7f3db0628e65c89c439b72984f2efc21f43112874fff3cbe1c59d1cc0d8e4cc944ecd97abb043c280cc37

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2236	968	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2236	WerFault.exe
Token: SeBackupPrivilege	2236	WerFault.exe
Token: SeDebugPrivilege	2236	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO-7890374.exe
"C:\Users\Admin\AppData\Local\Temp\PO-7890374.exe"
1⤵
PID:968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 916
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-0-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download