6077a9d47232d6bb6425891c5c71096e21e4f961fa4b882004c4574a23321ab9 | Triage

Analysis

max time kernel
65s
max time network
116s
platform
windows10_x64
resource
win10
submitted
31-07-2020 12:13

Sharing

Report Analysis Logs

General

Target

gunzipped.exe
Size

936KB
MD5

bbb0b33663055f506d0dc4fa382b6ef6
SHA1

c97788c492ebd0f959f069ab5b6d341fb2fbcaa1
SHA256

6077a9d47232d6bb6425891c5c71096e21e4f961fa4b882004c4574a23321ab9
SHA512

d4adf010dd558fb0f6a70b09c675c636dbe70be04e1495dfd7b113b0975141e0e891c1723837c1bae114a327cc056718934196b6ea9843839c23f16f78a144b6

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3268 3588 WerFault.exe gunzipped.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3268 WerFault.exe
Token: SeBackupPrivilege 3268 WerFault.exe
Token: SeDebugPrivilege 3268 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1168
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3268-0-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/3268-1-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download