1c2f10aaf4e8b9a9e90316e8b470616bac893609cd85374cb11bb4a1a3971e5b | Triage

Analysis

max time kernel
65s
max time network
103s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 18:31

Sharing

Report Analysis Logs

General

Target

Sales note PO53.exe
Size

861KB
MD5

3e414d89b9f98f4cc6c5988634791c0a
SHA1

fd7d1e1c6b49b97db475ccc56958bee3964ad766
SHA256

1c2f10aaf4e8b9a9e90316e8b470616bac893609cd85374cb11bb4a1a3971e5b
SHA512

a7781136e267d2549d9f248830951170f4b6eaabbaa212df3307362a895414ae85ece41c25d1256e09302d5b1c603ca45d1e1753dac85ed5493acb2b8cbe6508

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	2564	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2180	WerFault.exe
Token: SeBackupPrivilege	2180	WerFault.exe
Token: SeDebugPrivilege	2180	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe
2180	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Sales note PO53.exe
"C:\Users\Admin\AppData\Local\Temp\Sales note PO53.exe"
1⤵
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1136
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2180-2-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download