015da4d338b5ccb6a5ae37b29a30bdd80445280746011616535a26c60b4be0bb | Triage

Analysis

max time kernel
136s
max time network
111s
platform
windows10_x64
resource
win10v200430
submitted
17-07-2020 05:28

Sharing

Report Analysis Logs

General

Target

CXEStNhBHVr8t4j.exe
Size

1.6MB
MD5

8ed41c5e460132f308df2d5de49efc1a
SHA1

807c717590eeccddaa4130a2ada854f695999e5d
SHA256

015da4d338b5ccb6a5ae37b29a30bdd80445280746011616535a26c60b4be0bb
SHA512

81dfefcc925e0e358cabf3a73fe9787d9b13c7d0a42dbb1bf898fa4e6d1dd2d3bd68a25018b2c445b6a6cc474634729e3bcf931deb6be29464b78c5951d12722

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2804	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2780	WerFault.exe
Token: SeBackupPrivilege	2780	WerFault.exe
Token: SeDebugPrivilege	2780	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\CXEStNhBHVr8t4j.exe
"C:\Users\Admin\AppData\Local\Temp\CXEStNhBHVr8t4j.exe"
1⤵
PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1152
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-0-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2780-3-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download