61f91b1ac578efd7d0eda15f45a7298fca86e41ab5f2c46e963ef950ac0df09a | Triage

Analysis

max time kernel
129s
max time network
128s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 12:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Order#210420.exe
Size

1.1MB
MD5

80bf3d2f70c294bc8f260711b390a649
SHA1

3221d3ed23fc934b767fd0a5fdb1d2f853191ff7
SHA256

61f91b1ac578efd7d0eda15f45a7298fca86e41ab5f2c46e963ef950ac0df09a
SHA512

56abd572e29b62a0af6a5d7cb5ca85dbf40443f0ec8ae3a37b3a1fc280011f8a6161993415d6d6c618a64c113c617d794c20563e677987c94f65c4f835d85bbd

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	2920	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1940	WerFault.exe
Token: SeBackupPrivilege	1940	WerFault.exe
Token: SeDebugPrivilege	1940	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Order#210420.exe
"C:\Users\Admin\AppData\Local\Temp\Order#210420.exe"
1⤵
PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1144
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-0-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1940-1-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download