88ac38fd4d4a5bff6e2f09c5071b6b8d654e2d65da6662c02d14fabb32047ca7 | Triage

Analysis

max time kernel
117s
max time network
140s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 11:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

INVOICE999990.exe
Size

550KB
MD5

005f4b79b9e9fdb2690c8e2db96daa7d
SHA1

3a5235d9f3d7c048d569d2bfea64954c71be95a8
SHA256

88ac38fd4d4a5bff6e2f09c5071b6b8d654e2d65da6662c02d14fabb32047ca7
SHA512

541993e59dd90af133dffc4df7b10fd7889cd59e852f5fd3f5388cc2e87ff0883f4f5fdda523b7ac45f50860be7bd42526a7ce30ef493a877947af7cbb819bfb

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2528	2024	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2528	WerFault.exe
Token: SeBackupPrivilege	2528	WerFault.exe
Token: SeDebugPrivilege	2528	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE999990.exe"
1⤵
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2528-0-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download