8a55cadaca08ee56bf3c8f26029cd4d473d394e232058a3aaec7203a884f3fde | Triage

Analysis

max time kernel
149s
max time network
69s
platform
windows10_x64
resource
win10v200722
submitted
04/08/2020, 17:26

Sharing

Report Analysis Logs

General

Target

fd301dd4e9524517169d7520132018f863c82056c7441ea59c2beb6ad186b25c.exe
Size

240KB
MD5

50a7db1362f5534a1b6adbf9ccbe9d5b
SHA1

b13adc442b918f8dd73038ebf1ee491d2ed44110
SHA256

fd301dd4e9524517169d7520132018f863c82056c7441ea59c2beb6ad186b25c
SHA512

627a39524136b95d4ae4528f45cb131492e84708434153e7f2909dc4609b06c916647adca97090431a4fb7a7df1b530c3ca4094c0ed5b55d1f1567b4bc5e4cb4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1332	1928	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1332	WerFault.exe
Token: SeBackupPrivilege	1332	WerFault.exe
Token: SeDebugPrivilege	1332	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fd301dd4e9524517169d7520132018f863c82056c7441ea59c2beb6ad186b25c.exe
"C:\Users\Admin\AppData\Local\Temp\fd301dd4e9524517169d7520132018f863c82056c7441ea59c2beb6ad186b25c.exe"
1⤵
PID:1928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1388
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-0-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1332-1-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download