9f55258f872561acb62137271079b8e1f67ebe6b1a211e30a2c02c02699c3449 | Triage

Analysis

max time kernel
123s
max time network
124s
platform
windows10_x64
resource
win10
submitted
19-07-2020 17:28

Sharing

Report Analysis Logs

General

Target

tasks_203.vir.exe
Size

328KB
MD5

e431a6b3e3ea4e32f8dd622f3e632a27
SHA1

b6421384ac16c0a9e65f698263bc2784fa0f5596
SHA256

9f55258f872561acb62137271079b8e1f67ebe6b1a211e30a2c02c02699c3449
SHA512

943cd962e946415cda461984b9620d25c43861c181151605ac35448842f537afa34e94809a6a304219d72c4bbd8fbae3c09c9450db5e040efa166ee6e144ef13

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3112 716 WerFault.exe tasks_203.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3112 WerFault.exe
Token: SeBackupPrivilege 3112 WerFault.exe
Token: SeDebugPrivilege 3112 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tasks_203.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_203.vir.exe"
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 548
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3112-0-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/3112-1-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download