1aa9ef9f0878b8dc89b3f02d4c051a1d9fcca3af5dd90eb4722876eb841e961d | Triage

Analysis

max time kernel
147s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
30-06-2020 12:48

Sharing

Report Analysis Logs

General

Target

Payment Advice 3287326412.exe
Size

418KB
MD5

1ffcfdc38c6bbbba2717aa03e062ea11
SHA1

352885f4fd51ddea221c057d9ae478819fcaef80
SHA256

1aa9ef9f0878b8dc89b3f02d4c051a1d9fcca3af5dd90eb4722876eb841e961d
SHA512

717358dcd7a5338c528fc8614c1192b5aee60f34512bca37df9f30cfd8ec5f174724aa6d3d90a5f9be746a97c7de4e40b9a506a421d681cee0d0149d7ad764f0

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2468 3768 WerFault.exe Payment Advice 3287326412.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2468 WerFault.exe
Token: SeBackupPrivilege 2468 WerFault.exe
Token: SeDebugPrivilege 2468 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Payment Advice 3287326412.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice 3287326412.exe"
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 896
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download