e6d6cda38ec798c76fb5727c7af199c496408484c68f3d7c0d34d6be09900ca0 | Triage

Analysis

max time kernel
138s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
08-07-2020 06:28

Sharing

Report Analysis Logs

General

Target

New QUOTATION.exe
Size

723KB
MD5

3162b1cabee9fd3d873f5db5f189bc08
SHA1

041ad07777f7da39d8f75ebef505497729b474ca
SHA256

e6d6cda38ec798c76fb5727c7af199c496408484c68f3d7c0d34d6be09900ca0
SHA512

1e2267ff9fb8a927d92f0c169653d0bbe626bdf39c085bca56c6ac507143446ea0b42a518e6a080a0a3d0bbc5d21930636e084fe5f79254a3ce29fa9535e72b7

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2232 WerFault.exe
Token: SeBackupPrivilege 2232 WerFault.exe
Token: SeDebugPrivilege 2232 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2232 3724 WerFault.exe New QUOTATION.exe

C:\Users\Admin\AppData\Local\Temp\New QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\New QUOTATION.exe"
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1148
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:2232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-0-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download