88ac38fd4d4a5bff6e2f09c5071b6b8d654e2d65da6662c02d14fabb32047ca7 | Triage

Analysis

max time kernel
117s
max time network
140s
platform
windows10_x64
resource
win10v200430
submitted
09-07-2020 11:59

Sharing

Report Analysis Logs

General

Target

INVOICE999990.exe
Size

550KB
MD5

005f4b79b9e9fdb2690c8e2db96daa7d
SHA1

3a5235d9f3d7c048d569d2bfea64954c71be95a8
SHA256

88ac38fd4d4a5bff6e2f09c5071b6b8d654e2d65da6662c02d14fabb32047ca7
SHA512

541993e59dd90af133dffc4df7b10fd7889cd59e852f5fd3f5388cc2e87ff0883f4f5fdda523b7ac45f50860be7bd42526a7ce30ef493a877947af7cbb819bfb

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2528 2024 WerFault.exe INVOICE999990.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2528 WerFault.exe
Token: SeBackupPrivilege 2528 WerFault.exe
Token: SeDebugPrivilege 2528 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe"
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2528-0-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download