4907bed25c3ed8f16d5e658f22fad83ef4d628dedc96d57f657e86e4dd2538f4 | Triage

Analysis

max time kernel
115s
max time network
117s
platform
windows10_x64
resource
win10v20201028
submitted
05-12-2020 03:14

Sharing

Report Analysis Logs

General

Target

sample.exe
Size

153KB
MD5

972092cbe7791d27fc9ff6e9acc12cc3
SHA1

5a9482423dd4b9c5ca7251d40420c6487489d8ad
SHA256

ac7068caed0df4e6427d635b4379a2eacf6ee03ed700b9f6ae74e9fe047381f1
SHA512

6ecc8e38d49280e3e16a6bcc1664a91b7fffe81162254cbd27bcb2c1093570f9ece1ee4128ba3d642d5cbeff76973cf47dd5003ff1c47358e32b268b497fa4f4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3708 4800 WerFault.exe sample.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe
3708	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3708 WerFault.exe
Token: SeBackupPrivilege 3708 WerFault.exe
Token: SeDebugPrivilege 3708 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 284
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3708-2-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/3708-3-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download