bfc3d6d12ca4a76297cf920edbdfe491c6be14e42e6b9c0722ff5efb5bfb6377 | Triage

Analysis

max time kernel
120s
max time network
121s
platform
windows10_x64
resource
win10
submitted
17-07-2020 05:31

Sharing

Report Analysis Logs

General

Target

WZO6r48DeDddU0L.exe
Size

1.7MB
MD5

0fb1a68359130ed63dfd862d0b9ecfd9
SHA1

2976a4560350ee15213b4d19f6fa8b7304cbacae
SHA256

bfc3d6d12ca4a76297cf920edbdfe491c6be14e42e6b9c0722ff5efb5bfb6377
SHA512

65e0b19dfc28d4512e0ff6a5e0299317fbfd75832a043d0f8d472c43d929fb37de6784f600bd75ccdb9824f6142393d46dedb5f64e41a79a8fd667bc45e7656f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3804	3180	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3804	WerFault.exe
Token: SeBackupPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	3804	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe
"C:\Users\Admin\AppData\Local\Temp\WZO6r48DeDddU0L.exe"
1⤵
PID:3180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 920
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3804-0-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/3804-1-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/3804-3-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download