2e5adc24258e0aae79b688b0310985210ab03bffb789da8c80f5d2172e0ff323 | Triage

Analysis

max time kernel
133s
max time network
135s
platform
windows10_x64
resource
win10v200722
submitted
31-07-2020 12:12

Sharing

Report Analysis Logs

General

Target

AWB.exe
Size

789KB
MD5

00e07fbc04097cb40012208c6d59961f
SHA1

965e3a6594cba057b116b9f53aabd8976d815058
SHA256

2e5adc24258e0aae79b688b0310985210ab03bffb789da8c80f5d2172e0ff323
SHA512

85cf5e27a27f3ba2e6dd18f86c06eb3cbc7414ce9b8998a4b1ee3b20c9141e05347dd6cf220923d606f5e3a5650f91c065f1bf40d7fbc6c145414dfda937449f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3596 4028 WerFault.exe AWB.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AWB.exeWerFault.exe

pid	process
4028	AWB.exe
4028	AWB.exe
4028	AWB.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AWB.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4028	AWB.exe
Token: SeRestorePrivilege	3596	WerFault.exe
Token: SeBackupPrivilege	3596	WerFault.exe
Token: SeDebugPrivilege	3596	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\AWB.exe
"C:\Users\Admin\AppData\Local\Temp\AWB.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 968
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3596-0-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3596-1-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download