54519fe3bb2beec228d65ef66bb64cb19beb8bd0f6cc7d973b69137950f5bc6f | Triage

Analysis

max time kernel
149s
max time network
103s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 18:43

Sharing

Report Analysis Logs

General

Target

DHL SHIPMENT #0942002 VDATA FORM UPDATE.exe
Size

390KB
MD5

61780c25be41f62f4431c32213bd7d86
SHA1

4d0369b6c48d01615208aa52eb53a264e4e34d56
SHA256

54519fe3bb2beec228d65ef66bb64cb19beb8bd0f6cc7d973b69137950f5bc6f
SHA512

4370f56e3a3afb3070257bbb9178b98c9de881020e6752c767a1f2ee3b967ed81c1b9bc44e68eb65b095e83a22ff367a4600f8f34c8894120940432e126ebe14

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	2612	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2416	WerFault.exe
Token: SeBackupPrivilege	2416	WerFault.exe
Token: SeDebugPrivilege	2416	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT #0942002 VDATA FORM UPDATE.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT #0942002 VDATA FORM UPDATE.exe"
1⤵
PID:2612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1136
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-0-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download