1b3649284ca4a79f52fc8dac008634540bbb8aa49d0903b6899f8708b37a3df9 | Triage

Analysis

max time kernel
137s
max time network
96s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 09:33

Sharing

Report Analysis Logs

General

Target

PaymentConfirmation.exe
Size

598KB
MD5

968c93132fbe953eef1c9e9745fc5105
SHA1

fe1e8bd516af4ce7f8b4991de128f4f476cec9f9
SHA256

1b3649284ca4a79f52fc8dac008634540bbb8aa49d0903b6899f8708b37a3df9
SHA512

7a938b3f4c97a5c496a8ed6efa285676693c84148b6ef485d0f46b8ccba7d7b99e2db8bd1237134ec199480b3ceab5b5c3c7d85019c503506ba5ad784dd55047

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	992	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe
3832	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3832	WerFault.exe
Token: SeBackupPrivilege	3832	WerFault.exe
Token: SeDebugPrivilege	3832	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe"
1⤵
PID:992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 8268
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3832-0-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3832-1-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download