5a9f5848c0305a43cf26c3776ed1d4683fbc9d2f59349cd741efe792313affaa | Triage

Analysis

max time kernel
74s
max time network
73s
platform
windows10_x64
resource
win10
submitted
24-06-2020 14:37

Sharing

Report Analysis Logs

General

Target

payment to new bank account.exe
Size

447KB
MD5

783f004a10ee4968177781da7c16afe6
SHA1

86ba9ef1a91abf63cf9a3c6bcc7a67fa37e3494e
SHA256

5a9f5848c0305a43cf26c3776ed1d4683fbc9d2f59349cd741efe792313affaa
SHA512

9c3f1f4234691671b3852380feff86462675cc6c1c855ab2ed1cd0f6e83d6ca0bb377589df9b0af74211bf0046034cc59a30871931d51d1bfae6b2750a4845d3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4004 3536 WerFault.exe payment to new bank account.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe
4004	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4004 WerFault.exe
Token: SeBackupPrivilege 4004 WerFault.exe
Token: SeDebugPrivilege 4004 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\payment to new bank account.exe
"C:\Users\Admin\AppData\Local\Temp\payment to new bank account.exe"
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1108
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4004-0-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4004-1-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download