629a721f44640c6286b99cb22280a6bd499366f3b867d189328a6b4794116fb2 | Triage

Analysis

max time kernel
126s
max time network
149s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

purchase order.exe
Size

388KB
MD5

6e79b18d66d13b737710c054dda0ee91
SHA1

45e21f6dd77a784f7cb7e28725d3641bc67e9df5
SHA256

629a721f44640c6286b99cb22280a6bd499366f3b867d189328a6b4794116fb2
SHA512

fbb176c60c658bce931ed4b129709401b34af22914d6e36202de061fa62fc886f7cddbceb77dd9100a57edeac27c4229f11282cdba6798c57a9558c7de5a5838

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4092	WerFault.exe
Token: SeBackupPrivilege	4092	WerFault.exe
Token: SeDebugPrivilege	4092	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe
4092	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4092	1612	WerFault.exe	67

C:\Users\Admin\AppData\Local\Temp\purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"
1⤵
PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 932
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4092-0-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4092-1-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4092-3-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download