750fad3db3f495fec07ac204f7e3717e75324ea9beed2fce1c48350015b888c5 | Triage

Analysis

max time kernel
117s
max time network
137s
platform
windows10_x64
resource
win10v200430
submitted
17/07/2020, 05:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06463NWRL6xAdIh.exe
Size

1.3MB
MD5

29dca360241427d5bc482839827d271b
SHA1

4a5189e76f1e4ea370f53f884dad58f4630168a2
SHA256

750fad3db3f495fec07ac204f7e3717e75324ea9beed2fce1c48350015b888c5
SHA512

b341011707a1894e69ee8a450ef0b76ef179557b3fb5c7e3a8d3fde3a275994ab46f711807ee97ee6b7e0ccef06ffddbcfda5a646b0e57c87807e67ed3ffa5b3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2556	2016	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2556	WerFault.exe
Token: SeBackupPrivilege	2556	WerFault.exe
Token: SeDebugPrivilege	2556	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\06463NWRL6xAdIh.exe
"C:\Users\Admin\AppData\Local\Temp\06463NWRL6xAdIh.exe"
1⤵
PID:2016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1156
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2556-0-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2556-3-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2556-6-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download