8288d5fdb5a00ad36980616a12f75316753339bb553353008a526545ee21b5f9 | Triage

Analysis

max time kernel
92s
max time network
100s
platform
windows10_x64
resource
win10
submitted
29-07-2020 05:34

Sharing

Report Analysis Logs

General

Target

IVHQ2201800000512.exe
Size

448KB
MD5

a7be56c01293b4a4290e0a035fb93dd7
SHA1

3d022658785a9cbb79985eb3c6982b0c495139b7
SHA256

8288d5fdb5a00ad36980616a12f75316753339bb553353008a526545ee21b5f9
SHA512

fa6b71f271678ad804d65d7b24a8e11cc817ab8320d7d88d5e3104efd076e0eaaf2bfe6f6858eaee259db1fcb559c0ff451aebbc02d80ed822b58c9da4e8e258

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3888	WerFault.exe
Token: SeBackupPrivilege	3888	WerFault.exe
Token: SeDebugPrivilege	3888	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3888	3020	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\IVHQ2201800000512.exe
"C:\Users\Admin\AppData\Local\Temp\IVHQ2201800000512.exe"
1⤵
PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 904
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3888-0-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3888-1-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3888-10-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download