afd6b1e702594fade530dbea01203d1e356e2d00b7471a5e045f58333688ca47 | Triage

Analysis

max time kernel
129s
max time network
100s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 20:04

Sharing

Report Analysis Logs

General

Target

new shipment.exe
Size

608KB
MD5

6a36b2e412bde6f4a7dfb86f352447f1
SHA1

0437641da93b27db1e85a805c59db510573ec5ad
SHA256

afd6b1e702594fade530dbea01203d1e356e2d00b7471a5e045f58333688ca47
SHA512

27ef0b05762f421bff4e4e874f133208344f55202504b5fa8f2e9996ba408800916606436252660c81ea739a7b5503df626cdee5b99b81b92f1fe83b13ec7a55

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2832 1616 WerFault.exe new shipment.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2832 WerFault.exe
Token: SeBackupPrivilege 2832 WerFault.exe
Token: SeDebugPrivilege 2832 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\new shipment.exe
"C:\Users\Admin\AppData\Local\Temp\new shipment.exe"
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 920
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2832-0-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/2832-1-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/2832-3-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download