1db65284dd73545215b9db3834b16709bf5bf5c33a417c38a205d09317cd6d0d | Triage

Analysis

max time kernel
117s
max time network
120s
platform
windows10_x64
resource
win10
submitted
17-07-2020 05:30

Sharing

Report Analysis Logs

General

Target

dlWs3KImcASZUXb.exe
Size

1.3MB
MD5

65510953a3e244a740560d58097b4516
SHA1

8acf08ecac72cfcef6591004fa8c8188628bd939
SHA256

1db65284dd73545215b9db3834b16709bf5bf5c33a417c38a205d09317cd6d0d
SHA512

b45dc5bd4b2822854d83df1daeeb14e17952bc3b7c2c4bd7c72a864dab9067121055a823aea52fb56f14f0bd5c85979fad9ff3170af87e23e41a8706f953660d

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3868	4092	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3868	WerFault.exe
Token: SeBackupPrivilege	3868	WerFault.exe
Token: SeDebugPrivilege	3868	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dlWs3KImcASZUXb.exe
"C:\Users\Admin\AppData\Local\Temp\dlWs3KImcASZUXb.exe"
1⤵
PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1152
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3868-0-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/3868-1-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/3868-3-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download