841418cdd1e9639a6a192eb8f9fd9881f042f49a7cb2bd3463a8a6964a424b50 | Triage

Analysis

max time kernel
118s
max time network
123s
platform
windows10_x64
resource
win10
submitted
30-06-2020 13:36

Sharing

Report Analysis Logs

General

Target

CONSIGNEE BL. NO GLNL20063871.exe
Size

392KB
MD5

eafb5ecce79a78ff6f61de7830e3c492
SHA1

f6d454e65aabcf2ee7c13eb01b776e2d557bf30f
SHA256

841418cdd1e9639a6a192eb8f9fd9881f042f49a7cb2bd3463a8a6964a424b50
SHA512

99a64b81a8dbe8ae3a2f2601111fbf52f94cf496d4475b2635862ae6473a81e8d1faa5b69b941d0d0e0c361b2a39ea731033143c6cdad45ac8c6295381e5ca35

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3512 3916 WerFault.exe CONSIGNEE BL. NO GLNL20063871.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe
3512	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3512 WerFault.exe
Token: SeBackupPrivilege 3512 WerFault.exe
Token: SeDebugPrivilege 3512 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\CONSIGNEE BL. NO GLNL20063871.exe
"C:\Users\Admin\AppData\Local\Temp\CONSIGNEE BL. NO GLNL20063871.exe"
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 896
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3512-0-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3512-1-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download