f6fc22ec88e5653d35064b62baba0b24d9a66391412f21488053e6df37b87c98 | Triage

Analysis

max time kernel
125s
max time network
128s
platform
windows10_x64
resource
win10
submitted
12-07-2020 08:16

Sharing

Report Analysis Logs

General

Target

Invoice.exe
Size

402KB
MD5

da4e69129661f06319d09a815b0b98d7
SHA1

f6bd5cd6f1e8c8217bb062ab378e53da423c1843
SHA256

f6fc22ec88e5653d35064b62baba0b24d9a66391412f21488053e6df37b87c98
SHA512

76ab018e3236b5533fc13b308d9dfe54b14b5f861b212f9cdbcfa0a4f76ca7ecbd9a3755b4db6c1a06233f7e6726e0f132b9e92fc05b20d2577bdc68c055f4a7

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3844 2460 WerFault.exe Invoice.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe
3844	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3844 WerFault.exe
Token: SeBackupPrivilege 3844 WerFault.exe
Token: SeDebugPrivilege 3844 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1140
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3844-0-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3844-1-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download