fb87ac8736f16a1af756e71a59761cd17930dd4ff3083d0049bdae2d8b9cdd78 | Triage

Analysis

max time kernel
126s
max time network
124s
platform
windows10_x64
resource
win10
submitted
17/07/2020, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO 4500396589 VIBRACOUSTIC SAU 071620200.exe
Size

857KB
MD5

f424ca247bac0cb89d2a970f548326c0
SHA1

159b4c74d16dadd990b22b2b6b5cd30f7de46e36
SHA256

fb87ac8736f16a1af756e71a59761cd17930dd4ff3083d0049bdae2d8b9cdd78
SHA512

51a292c6775ba0abe9ededbd5c809c91554eec21eda62e0e2fa720e8ac998186182ecf7f528a89dd46945782d8caf4eb1068d14232826aaf0f186f9b46be7391

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3948	3780	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe
3948	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3948	WerFault.exe
Token: SeBackupPrivilege	3948	WerFault.exe
Token: SeDebugPrivilege	3948	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO 4500396589 VIBRACOUSTIC SAU 071620200.exe
"C:\Users\Admin\AppData\Local\Temp\PO 4500396589 VIBRACOUSTIC SAU 071620200.exe"
1⤵
PID:3780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1152
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3948-0-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download