7dfe5d9e3e099285a3bc63497d1ee47ac99b7012f23beb730d73557b40afa26c | Triage

Analysis

max time kernel
147s
max time network
72s
platform
windows10_x64
resource
win10v200430
submitted
28-06-2020 10:08

Sharing

Report Analysis Logs

General

Target

Inquiry Copy.exe
Size

519KB
MD5

5ebf752e445c2a9222357ea6ed653556
SHA1

ff7fd12de0ddd6fa819db103d023e1b3e24a36d2
SHA256

7dfe5d9e3e099285a3bc63497d1ee47ac99b7012f23beb730d73557b40afa26c
SHA512

0c16ec901b238d60176349c30cf9aa29d3522f8544d5cc32aeba71e72e3954051651808264551d639ae19ef384c865310c70092c334a7dc33cd64bdbfb2603a4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

516 3768 WerFault.exe Inquiry Copy.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 516 WerFault.exe
Token: SeBackupPrivilege 516 WerFault.exe
Token: SeDebugPrivilege 516 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Inquiry Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry Copy.exe"
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1108
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-0-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/516-1-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/516-3-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/516-4-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download