03a8582db8f34154ed1e18821d8d7e2df2148ce0c36b06ed7fb91f387e3f0aa6 | Triage

Analysis

max time kernel
131s
max time network
69s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 08:52

Sharing

Report Analysis Logs

General

Target

Invoice.exe
Size

5.1MB
MD5

7f1e268e77797a3049136b2e8b67a997
SHA1

27c0a7cb6cf140d6ad7109cfb2c0f64af73f6e8c
SHA256

03a8582db8f34154ed1e18821d8d7e2df2148ce0c36b06ed7fb91f387e3f0aa6
SHA512

0ddd4c099c3bb57f2f836793fabe78e9679f56caa80105d1d04f90866f533d37437873379b598ce5d5e56bea849a5717de599b37175052ca389cfc80568ee8a3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1532	1732	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	Invoice.exe
Token: SeRestorePrivilege	1532	WerFault.exe
Token: SeBackupPrivilege	1532	WerFault.exe
Token: SeDebugPrivilege	1532	WerFault.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1732	Invoice.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 940
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-0-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1532-1-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1532-3-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download