9549de756b08b36a2f827b0a1e721eff0365f4586c74b3732a78f1afdf471a32 | Triage

Analysis

max time kernel
135s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
09-07-2020 15:14

Sharing

Report Analysis Logs

General

Target

Orden de compra Scan_20200708_0935130.exe
Size

547KB
MD5

66c29fafcbc0ceb7cf119cbf2d66f674
SHA1

c27ecff04c022e6c0a6339b668dadee831cd6ed6
SHA256

9549de756b08b36a2f827b0a1e721eff0365f4586c74b3732a78f1afdf471a32
SHA512

19092c3a9c91ece5007fe955d067f05e792efa78bfd55280365538019f0aa4136ba79537df68069a751118341f11aa55a9e3c44fdda8573a02d3ab6761e03009

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2744 2804 WerFault.exe Orden de compra Scan_20200708_0935130.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2744 WerFault.exe
Token: SeBackupPrivilege 2744 WerFault.exe
Token: SeDebugPrivilege 2744 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Orden de compra Scan_20200708_0935130.exe
"C:\Users\Admin\AppData\Local\Temp\Orden de compra Scan_20200708_0935130.exe"
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1136
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-0-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2744-1-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download