84b2c85896e126daf30adcd3942a299db9c72d6670c0e9accd6978752f87ada7 | Triage

Analysis

max time kernel
130s
max time network
133s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 06:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Urgent Quotation RFQ-HL51L05.exe
Size

387KB
MD5

4db47e60a2839966b6cb14d69a1c3874
SHA1

55c69f4b300937aba360062a04b9d41e6e25fc83
SHA256

84b2c85896e126daf30adcd3942a299db9c72d6670c0e9accd6978752f87ada7
SHA512

98d196cfb02f942aaccd0200ff25cfc62326954637c800f825150c1bb8b581184fd644531d2fa16513d3d8a3678ffda0f88223cdf71c29e74a07acf18133ae2f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3792	2920	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3792	WerFault.exe
Token: SeBackupPrivilege	3792	WerFault.exe
Token: SeDebugPrivilege	3792	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Urgent Quotation RFQ-HL51L05.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Quotation RFQ-HL51L05.exe"
1⤵
PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1252
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3792-0-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/3792-1-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download