172f73b3500990962bfa7c18c0c6e7cd90346b757321b50adae3f7ce803efbe5 | Triage

Analysis

max time kernel
136s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
08/07/2020, 08:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

overdue account letter.exe
Size

1023KB
MD5

c52a6413be880fd815cd76f4c59f1e46
SHA1

157c46446ca98f68133566167b35268028cdc67e
SHA256

172f73b3500990962bfa7c18c0c6e7cd90346b757321b50adae3f7ce803efbe5
SHA512

1d0e82d0ef5837a8a2d79ce4ea6773384b4b13e833286881e9193496c3c2ad4a43e89e59133b75d796180f9c46888d765cc63e38775088103e664f1fc21d6974

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	2804	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2764	WerFault.exe
Token: SeBackupPrivilege	2764	WerFault.exe
Token: SeDebugPrivilege	2764	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\overdue account letter.exe
"C:\Users\Admin\AppData\Local\Temp\overdue account letter.exe"
1⤵
PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1156
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2764-0-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2764-1-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download