98ec6884be9b64e2e37a37460bd3d8ca770f2ef2d1d5cd4b6321a01462c8d32b | Triage

Analysis

max time kernel
65s
max time network
98s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 05:33

Sharing

Report Analysis Logs

General

Target

Agency Fund JUNE20_Revised.exe
Size

948KB
MD5

cfdd2d3dc883211f7a6f934e4b295714
SHA1

e7deccd6d0685263d69a4cdff890baa0865770b1
SHA256

98ec6884be9b64e2e37a37460bd3d8ca770f2ef2d1d5cd4b6321a01462c8d32b
SHA512

b14684e7d37c884eb2da0066ddf694360a56f279be55f8335985c0a82882b54f39f42e4fd991e77f5e394d6f29b386194365003c6dd048c6d5ed87c2172073a7

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3868	3888	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3868	WerFault.exe
Token: SeBackupPrivilege	3868	WerFault.exe
Token: SeDebugPrivilege	3868	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Agency Fund JUNE20_Revised.exe
"C:\Users\Admin\AppData\Local\Temp\Agency Fund JUNE20_Revised.exe"
1⤵
PID:3888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 936
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3868-0-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/3868-2-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download