40bccce2058d8a5d745d8b8714ed92fc17ba07630fbc1a422add7b6abc503560 | Triage

Analysis

max time kernel
147s
max time network
103s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 06:14

Sharing

Report Analysis Logs

General

Target

Access Invoice and project copy.exe
Size

879KB
MD5

756b78dd37760561d83d42afa30e4bae
SHA1

6fc2749fc19710d630e41f189b1d774e6ce9220e
SHA256

40bccce2058d8a5d745d8b8714ed92fc17ba07630fbc1a422add7b6abc503560
SHA512

c2d14d49539870936243049a9bf68e1b24ce87ef28fc4f49fef7207682e3b01e1c17bbee3863de00e81479cd62be2d32b65ae8f32a12b4a73fecd36887353cad

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	3768	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	WerFault.exe
Token: SeBackupPrivilege	2468	WerFault.exe
Token: SeDebugPrivilege	2468	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Access Invoice and project copy.exe
"C:\Users\Admin\AppData\Local\Temp\Access Invoice and project copy.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1148
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download