8f74d4186885e919ba7b7c06562f9237691fd736feeb6222470f38b7efdcc532 | Triage

Analysis

max time kernel
119s
max time network
122s
platform
windows10_x64
resource
win10
submitted
12/07/2020, 11:26

Sharing

Report Analysis Logs

General

Target

STATEMENT OF ACCOUNT - JULY 12.exe
Size

391KB
MD5

7e0f734c9add7e48862f0dbcf319901c
SHA1

99b9640f0fe628b513ccba7e2a511b2667267359
SHA256

8f74d4186885e919ba7b7c06562f9237691fd736feeb6222470f38b7efdcc532
SHA512

b451c57bcb496657356f917eccba140b6d54edabf491c895ac804d815955abec547627e7e7cf4628b1cd6f10e289f84723187eb263024310d59dbb36d5fe1754

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3520	3892	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3520	WerFault.exe
Token: SeBackupPrivilege	3520	WerFault.exe
Token: SeDebugPrivilege	3520	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe"
1⤵
PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1144
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3520-0-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3520-1-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download