a26b0b8ed3e9a7159a68553861239c8ba255afcf36fc645d33bc3a36b7849496 | Triage

Analysis

max time kernel
137s
max time network
70s
platform
windows10_x64
resource
win10v200430
submitted
07-07-2020 08:29

Sharing

Report Analysis Logs

General

Target

payment.exe
Size

479KB
MD5

c7c93dec3793f885f2989f6b6e8cef69
SHA1

91aad3b2300b4212482a8bf15ce87d8832c359f5
SHA256

a26b0b8ed3e9a7159a68553861239c8ba255afcf36fc645d33bc3a36b7849496
SHA512

ae715317b33950cd5fa62572a4dea7cbb63a62281f3e7b224654be713fb6afa2820d1acc890ce861251d353ce065da5a40e0c49d51c92acea55c5526a5b6289c

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	992	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	payment.exe
Token: SeRestorePrivilege	1924	WerFault.exe
Token: SeBackupPrivilege	1924	WerFault.exe
Token: SeDebugPrivilege	1924	WerFault.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
992	payment.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 940
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-0-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download