597022d4e4794fb02c89a43939d93d1b2b1140e798e355c2a53a8423f19514ad | Triage

Analysis

max time kernel
67s
max time network
99s
platform
windows10_x64
resource
win10
submitted
10/07/2020, 17:49

Sharing

Report Analysis Logs

General

Target

ORDERMOO2#O2-JULY2020.exe
Size

608KB
MD5

a95901fe4c5694369516e46bf7c8b577
SHA1

b8d317bbc7dcc71d520b63f53d0a4b941e0d73d6
SHA256

597022d4e4794fb02c89a43939d93d1b2b1140e798e355c2a53a8423f19514ad
SHA512

e9f16d61a7d9d9ed97429b252523c82a1aa764b1f3d0195ffbe03a3744540c434685539fcf35d0d2e05e3fe69c965245ef2b3a35297c09fec1e3613d0656a5ac

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1840	3068	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1840	WerFault.exe
Token: SeBackupPrivilege	1840	WerFault.exe
Token: SeDebugPrivilege	1840	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ORDERMOO2#O2-JULY2020.exe
"C:\Users\Admin\AppData\Local\Temp\ORDERMOO2#O2-JULY2020.exe"
1⤵
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1136
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1840-0-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/1840-1-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download