54e5bf28236990158619205ebf0163d410eba535de8c3297b5fcd07921d2fec1 | Triage

Analysis

max time kernel
122s
max time network
117s
platform
windows10_x64
resource
win10
submitted
09-07-2020 14:31

Sharing

Report Analysis Logs

General

Target

Emergency Situation Surcharge Update.exe
Size

577KB
MD5

cf7a41ec6836313be154256346c8be42
SHA1

9bb4d33384638af7363fb55051a52bf9b77701af
SHA256

54e5bf28236990158619205ebf0163d410eba535de8c3297b5fcd07921d2fec1
SHA512

7925578f7a133da9eac24fdb1abd381f3de71e09dc7d8cf36d550a7e87c77614e1097649c58e301ce239d8a3671cb1bf658c4dc7c884694beb6d5fb30fb83f81

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3820 976 WerFault.exe Emergency Situation Surcharge Update.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3820 WerFault.exe
Token: SeBackupPrivilege 3820 WerFault.exe
Token: SeDebugPrivilege 3820 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Emergency Situation Surcharge Update.exe
"C:\Users\Admin\AppData\Local\Temp\Emergency Situation Surcharge Update.exe"
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1136
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3820-0-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3820-1-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download