a7af597188e3940ae7010e605d11e10b33f48632d2fec2c061c0c46d75c531b1 | Triage

Analysis

max time kernel
65s
max time network
115s
platform
windows10_x64
resource
win10v200722
submitted
31-07-2020 13:48

Sharing

Report Analysis Logs

General

Target

Scanned doc.exe
Size

482KB
MD5

70cf26be4ca82d7a3e0c7092d02d0520
SHA1

33701ba7b7ecec46decec6095dd47eb455f540d6
SHA256

a7af597188e3940ae7010e605d11e10b33f48632d2fec2c061c0c46d75c531b1
SHA512

50241a5e3863c3c249f00cbfebeabe705509f7cd4a4d2521334959ed0f50694dd8ce105dd3274e038ceb72fc2e22a49f3209f8f163ca2c95c0d10ed96e45376f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2548 3904 WerFault.exe Scanned doc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2548 WerFault.exe
Token: SeBackupPrivilege 2548 WerFault.exe
Token: SeDebugPrivilege 2548 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Scanned doc.exe
"C:\Users\Admin\AppData\Local\Temp\Scanned doc.exe"
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1176
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-0-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download