a4ae57283aed9c08180d74dfadb082d76e10cb6f4b01a45d1145c60f651da100 | Triage

Analysis

max time kernel
135s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 08:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Inquired Order JULY 07.exe
Size

647KB
MD5

d7c67c7b8828726f9162a31f13ae9384
SHA1

7a2e1b9d65f949f66b2636f706e8d5219b485af6
SHA256

a4ae57283aed9c08180d74dfadb082d76e10cb6f4b01a45d1145c60f651da100
SHA512

c100cc2455ae12dc4bbc000b4b79cf454060d9dc6591033d15c6e2b19a3370863a38f05c2c24c9b977a9dc53a8db24d3c3aa7dab5344cc59b4ded278b2d850a1

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2152	WerFault.exe
Token: SeBackupPrivilege	2152	WerFault.exe
Token: SeDebugPrivilege	2152	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe
2152	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2152	1768	WerFault.exe	65

C:\Users\Admin\AppData\Local\Temp\Inquired Order JULY 07.exe
"C:\Users\Admin\AppData\Local\Temp\Inquired Order JULY 07.exe"
1⤵
PID:1768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 944
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2152-0-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2152-1-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download