6fa490f0cd759d3f124106c12c8136d6eb4546964eeadf613d4c56b88ff6cd62 | Triage

Analysis

max time kernel
134s
max time network
136s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 09:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Attached New Order.exe
Size

912KB
MD5

4563aa91d3f76c975873f87b7bcababd
SHA1

ed4c93a69d511070ac80fb7784f0419c0e774d64
SHA256

6fa490f0cd759d3f124106c12c8136d6eb4546964eeadf613d4c56b88ff6cd62
SHA512

d478f69563002ddde512b13ae00e7aa313c7c8336f3940ebfb79003275dc656026b48b05574e0d2695ee19dd58c5cfd39d4bfcadfeddd227e7b1cae810ce13ae

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3856	WerFault.exe
Token: SeBackupPrivilege	3856	WerFault.exe
Token: SeDebugPrivilege	3856	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3856	3676	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\Attached New Order.exe
"C:\Users\Admin\AppData\Local\Temp\Attached New Order.exe"
1⤵
PID:3676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1144
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3856-0-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3856-1-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download