0be3470e0c0afeded793f139be36a34de63714490ff86e5a9e0fa9a584ea20cc | Triage

Analysis

max time kernel
69s
max time network
120s
platform
windows10_x64
resource
win10
submitted
10-07-2020 17:48

Sharing

Report Analysis Logs

General

Target

New-July-PO-07545767-TR768669-Order_Sample-Quote,xlsx.exe
Size

412KB
MD5

495fefe3f258ab11a285d3fddf0ac160
SHA1

f2f9c5b1f8424715ed3263cc3bb2de9c4535940e
SHA256

0be3470e0c0afeded793f139be36a34de63714490ff86e5a9e0fa9a584ea20cc
SHA512

f6c8980dfa3d2c0a7810076820ebb7be494314b8e9fbbefdec57ded94e680dd94a9159d0735ace6495769d11d1efb71862b79a90fa9c88f45afae25d671c1847

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3380 3100 WerFault.exe New-July-PO-07545767-TR768669-Order_Sample-Quote,xlsx.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3380 WerFault.exe
Token: SeBackupPrivilege 3380 WerFault.exe
Token: SeDebugPrivilege 3380 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe
3380	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New-July-PO-07545767-TR768669-Order_Sample-Quote,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\New-July-PO-07545767-TR768669-Order_Sample-Quote,xlsx.exe"
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 912
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3380-0-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3380-1-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download