9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831 | Triage

Analysis

max time kernel
122s
max time network
122s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RFQ.scr
Size

323KB
MD5

ea7a70eb4f75f34597cea8f569a39543
SHA1

e91593b1a0e7df15765b33250477f584f12d42c0
SHA256

9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831
SHA512

46efe034cdc453dd4bb6c6a00256e341943eae5d05f2d2ca3c445919114d5f3d1aa499f6d989c9c73ea0c78749916bd4a9f8909db88057d3a76d87bf77e09594

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2412	3704	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	RFQ.scr
Token: SeRestorePrivilege	2412	WerFault.exe
Token: SeBackupPrivilege	2412	WerFault.exe
Token: SeDebugPrivilege	2412	WerFault.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3704	RFQ.scr
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ.scr" /S
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 936
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2412-0-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download