a07a151e7a4e4514a55d3053b5e5238d36d9763920489d26d3f545134e806739 | Triage

Analysis

max time kernel
119s
max time network
120s
platform
windows10_x64
resource
win10
submitted
19-07-2020 19:46

Sharing

Report Analysis Logs

General

Target

tasks_152.vir.exe
Size

157KB
MD5

f8465c2e372762b793e3e7fbfd7b324b
SHA1

c13c715e34744c2edc2ccc053a4674bc6dd630fa
SHA256

a07a151e7a4e4514a55d3053b5e5238d36d9763920489d26d3f545134e806739
SHA512

0ffb1a0cefa035c1e3463bfa71c107e8ca5291529f3e35ef29ad80536556e5975fec71fd27199d8a3190dc4c9e322e4cf9c73f41a82cb317d0d15071cf402f78

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3228 3932 WerFault.exe tasks_152.vir.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3228 WerFault.exe
Token: SeBackupPrivilege 3228 WerFault.exe
Token: SeDebugPrivilege 3228 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe
3228	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tasks_152.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_152.vir.exe"
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 364
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3228-0-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/3228-2-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download