61ee39a1638079b55aca52d3949c677844e5e26438e06ab9510885ae8fbb664e | Triage

Analysis

max time kernel
147s
max time network
62s
platform
windows10_x64
resource
win10v200430
submitted
23/06/2020, 19:15

Sharing

Report Analysis Logs

General

Target

b86822b9a8982b84973a2fba76e502fd2b80189a636df117283207f025a59c5e.exe
Size

329KB
MD5

532abd14ecb22070d712db00cd3703c0
SHA1

502aaa6f9075e1108a96739d899c28f3015e1605
SHA256

b86822b9a8982b84973a2fba76e502fd2b80189a636df117283207f025a59c5e
SHA512

716864f25df0a7fb6592ca93848ee68570410ea361b118a71f2daa7baea84d00675ba1b76b36ddb225df827f51188e3480f8e05f65ca6c166e588e1c727fa760

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
644	3768	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	644	WerFault.exe
Token: SeBackupPrivilege	644	WerFault.exe
Token: SeDebugPrivilege	644	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b86822b9a8982b84973a2fba76e502fd2b80189a636df117283207f025a59c5e.exe
"C:\Users\Admin\AppData\Local\Temp\b86822b9a8982b84973a2fba76e502fd2b80189a636df117283207f025a59c5e.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 560
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-0-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/644-1-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download