de2955c99e6c58997641899e6534142f26de80368887da0c4fb501eb1b027308 | Triage

Analysis

max time kernel
93s
max time network
137s
platform
windows10_x64
resource
win10
submitted
30-06-2020 14:33

Sharing

Report Analysis Logs

General

Target

RFQ.exe
Size

910KB
MD5

3b96b40684f1b7ae1d901e17cfe6bbca
SHA1

5ac9d18cdb4a218b17382f8afe157348ecb18f5e
SHA256

de2955c99e6c58997641899e6534142f26de80368887da0c4fb501eb1b027308
SHA512

30755b94e4482703affcba7f442cea5198d27fc841d915182e994f867832a4e63a369d74cd9537fa910e3f52ad9152d5d547e68559f951d203f5b9fa9211447c

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3828 3068 WerFault.exe RFQ.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3828 WerFault.exe
Token: SeBackupPrivilege 3828 WerFault.exe
Token: SeDebugPrivilege 3828 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3828-0-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3828-2-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download