0b33c09259b4743048454631d113d0a1b367294f3dcaeb90d79a9013b2b690e2 | Triage

Analysis

max time kernel
64s
max time network
92s
platform
windows10_x64
resource
win10
submitted
10/07/2020, 07:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO 7405591 7756947 7756740 invoice for 30% Deposit.exe
Size

609KB
MD5

e7b30e360981dd2a9baadda311a71eb1
SHA1

b7047782455067df84cf89f8dfaf8315618bbed5
SHA256

0b33c09259b4743048454631d113d0a1b367294f3dcaeb90d79a9013b2b690e2
SHA512

2896216f1f50603818965999b3f80f4bbd5c783e7fe59768a74571d12f63edae24e935217ab6041e2a533e20759adcc20a5370573231ce108529ae8c50c88b8e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3844	3568	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3844	WerFault.exe
Token: SeBackupPrivilege	3844	WerFault.exe
Token: SeDebugPrivilege	3844	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO 7405591 7756947 7756740 invoice for 30% Deposit.exe
"C:\Users\Admin\AppData\Local\Temp\PO 7405591 7756947 7756740 invoice for 30% Deposit.exe"
1⤵
PID:3568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 916
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3844-0-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3844-1-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download