General
Target
Filesize
Completed
Task
3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe
80KB
01-12-2021 18:27
behavioral4
Score
3/10
MD5
SHA1
SHA256
SHA256
01408ac403b5c33f965f650534f81a90
a1a23e1978fd58c9189817cca50163b06618b3bf
f6b73646a1f1e97dacae54aa9a294eb12c19a3fe5c4ed578787b55eaac3c8ac9
add8587516e42cced4466497322026408b6fe10a24c2c78feaf03210879a02b5ca92193e69ec5b445da485246872854a0d966373b9963b1a5adfac5834134404
Malware Config
Signatures 3
Filter: none
-
Program crashWerFault.exe
Reported IOCs
pid pid_target process target process 4160 4384 WerFault.exe 3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe -
Suspicious behavior: EnumeratesProcessesWerFault.exe
Reported IOCs
pid process 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe -
Suspicious use of AdjustPrivilegeTokenWerFault.exe
Reported IOCs
description pid process Token: SeRestorePrivilege 4160 WerFault.exe Token: SeBackupPrivilege 4160 WerFault.exe Token: SeDebugPrivilege 4160 WerFault.exe
Processes 2
-
C:\Users\Admin\AppData\Local\Temp\3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exePID:4384"C:\Users\Admin\AppData\Local\Temp\3020-116-0x0000000000400000-0x0000000000414000-memory.dmp.exe"
-
C:\Windows\SysWOW64\WerFault.exePID:4160C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 220Program crashSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
Title
Loading data