4eb7a7353a49eb38c15ab6bbd8226493daa643ebedbca960bd94f05c33201bef | Triage

Analysis

max time kernel
131s
max time network
127s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 13:11

Sharing

Report Analysis Logs

General

Target

RFQ.20200307.exe
Size

238KB
MD5

e857a0b6a93f6247362ade805dfc27b8
SHA1

8fe80b60dc811856cbd64f56d326bb485343e4e5
SHA256

4eb7a7353a49eb38c15ab6bbd8226493daa643ebedbca960bd94f05c33201bef
SHA512

72f42436f0fd131e8ca97ab04abfbae62d3f52c816e2dbc96dd735d1ff4eeb9bb6e70649ccd8dd7fe599db376ba4114e94acf86d53ee5cbe16219159a5d7006a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	2920	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3840	WerFault.exe
Token: SeBackupPrivilege	3840	WerFault.exe
Token: SeDebugPrivilege	3840	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.20200307.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.20200307.exe"
1⤵
PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1132
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3840-0-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3840-1-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download