809cfc5886806460a65acf74e8611daa26cc71a231d12e05ef5c13377d474947 | Triage

Analysis

max time kernel
14s
max time network
66s
platform
windows10_x64
resource
win10v20201028
submitted
26-11-2020 14:51

Sharing

Report Analysis Logs

General

Target

crypt.exe
Size

416KB
MD5

e793fdd19ba94ce44ffcafcb8439f376
SHA1

7014752978ffe24dabd02e539cb5ec59c1429639
SHA256

809cfc5886806460a65acf74e8611daa26cc71a231d12e05ef5c13377d474947
SHA512

cf4b78ee838eb99fb47d07f5ed165f84a13d44d9d61936014d63eaa8a92610ad2ee34b592ddb8d73e5e2de6fff76cc9a4d1fc09ed994dd1ebaa2314b3088fd34

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3532 1400 WerFault.exe crypt.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3532 WerFault.exe
Token: SeBackupPrivilege 3532 WerFault.exe
Token: SeDebugPrivilege 3532 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\crypt.exe"
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 348
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3532-0-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3532-1-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download