c8f62dda091a29ed35c26e212840d0c260c9f420f5a7940b2b1f088ad10a3c2d | Triage

Analysis

max time kernel
143s
max time network
138s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 12:15

Sharing

Report Analysis Logs

General

Target

Invoice.exe
Size

533KB
MD5

676213812fcd942f150519418bad81f0
SHA1

63c6513df8879238baef6869bd2c2c5324626337
SHA256

c8f62dda091a29ed35c26e212840d0c260c9f420f5a7940b2b1f088ad10a3c2d
SHA512

945e542fc9dca0dc00f342749fd4662fadf68b2284b8955211771f8a4d2bf897e12ee10fe9435b57bdd757aa954a239ed0f42d5e787f827113e69f825262b730

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	2460	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe
3840	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3840	WerFault.exe
Token: SeBackupPrivilege	3840	WerFault.exe
Token: SeDebugPrivilege	3840	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
1⤵
PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1136
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3840-0-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3840-1-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download