f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f | Triage

Analysis

max time kernel
120s
max time network
123s
platform
windows10_x64
resource
win10
submitted
17-07-2020 05:28

Sharing

Report Analysis Logs

General

Target

CsdMVmZguofylUZ.exe
Size

1.3MB
MD5

2d507b5e2fd52bec7caa8081957a6851
SHA1

acdae484c8e11ac973860b17d408f102f1f7ac30
SHA256

f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f
SHA512

e702597e7c138f33105ba1cf6fe9c423e38d9096956ac60977060aae9afff66daf3fb2e5c6a64a1c240c9a756000630c6b7cbd50121dfb2af65ac89c9ed65562

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3804	2948	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3804	WerFault.exe
Token: SeBackupPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	3804	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe
"C:\Users\Admin\AppData\Local\Temp\CsdMVmZguofylUZ.exe"
1⤵
PID:2948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 920
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3804-0-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3804-1-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3804-3-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download