2ad4a02a1f907b8036b9bea0fd940bfb47435964b23ffae577080823c86500dd | Triage

Analysis

max time kernel
64s
max time network
112s
platform
windows10_x64
resource
win10v200722
submitted
31-07-2020 11:49

Sharing

Report Analysis Logs

General

Target

Confirmation Copy 11.exe
Size

520KB
MD5

9d317210a5afb36bb85856718b96e1ef
SHA1

e5cf4b696cb785b825322f84cf66c299c27f4068
SHA256

2ad4a02a1f907b8036b9bea0fd940bfb47435964b23ffae577080823c86500dd
SHA512

5d67f53a63d1cd20af6073b16dff41d41922a0b680c041d52364c08528280a399851612cfb7190f96e5788e94eec7d967e53bb4643db06cc475f380a8e02deba

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2936 3712 WerFault.exe Confirmation Copy 11.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2936 WerFault.exe
Token: SeBackupPrivilege 2936 WerFault.exe
Token: SeDebugPrivilege 2936 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Confirmation Copy 11.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation Copy 11.exe"
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1172
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2936-0-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download