6824c4afb5e56e0c2b3e0b89a4acde70bcc2bd792334a6600225e623162ae621 | Triage

Analysis

max time kernel
118s
max time network
120s
platform
windows10_x64
resource
win10
submitted
12-07-2020 17:38

Sharing

Report Analysis Logs

General

Target

English_Court OrderCASE#036886890678.exe
Size

422KB
MD5

e9066a6c3f243cdb94085ef3ebb812ff
SHA1

ae746dc34cb3de5bf506336d2cc229117b32c1ad
SHA256

6824c4afb5e56e0c2b3e0b89a4acde70bcc2bd792334a6600225e623162ae621
SHA512

6bf8a77dec0effc60170120e193a343338f5fe3dbde36289e02d295fc7360bea85c1f313f8b945dfcef7eb1d92f01fc5c95796778fd100ee3743b3242c8b7b31

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3872 4092 WerFault.exe English_Court OrderCASE#036886890678.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3872 WerFault.exe
Token: SeBackupPrivilege 3872 WerFault.exe
Token: SeDebugPrivilege 3872 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\English_Court OrderCASE#036886890678.exe
"C:\Users\Admin\AppData\Local\Temp\English_Court OrderCASE#036886890678.exe"
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3872-0-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3872-1-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download