16b611f0a2868d31b7d562b76fff4fb282da38d1d24838921631544cea1086e4 | Triage

Analysis

max time kernel
124s
max time network
127s
platform
windows10_x64
resource
win10
submitted
30-06-2020 12:34

Sharing

Report Analysis Logs

General

Target

RFQ (4500387063).exe
Size

430KB
MD5

a4cb84ddf99fb30ce17fd21b6e1c28a5
SHA1

9662ed80dbe678c1559ffc54285f5664ed630894
SHA256

16b611f0a2868d31b7d562b76fff4fb282da38d1d24838921631544cea1086e4
SHA512

4b48e9d15c4cbabc4ba0c3cd9d5c477de37cd1f5e0b8e9627de26edc5423ef3b7acdc6ddb19a1c0a2df19cce740c0c65d16922f885187f557df193664429f344

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3548 3908 WerFault.exe RFQ (4500387063).exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3548 WerFault.exe
Token: SeBackupPrivilege 3548 WerFault.exe
Token: SeDebugPrivilege 3548 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ (4500387063).exe
"C:\Users\Admin\AppData\Local\Temp\RFQ (4500387063).exe"
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 892
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3548-0-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3548-1-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download