8f74d4186885e919ba7b7c06562f9237691fd736feeb6222470f38b7efdcc532 | Triage

Analysis

max time kernel
119s
max time network
122s
platform
windows10_x64
resource
win10
submitted
12-07-2020 11:26

Sharing

Report Analysis Logs

General

Target

STATEMENT OF ACCOUNT - JULY 12.exe
Size

391KB
MD5

7e0f734c9add7e48862f0dbcf319901c
SHA1

99b9640f0fe628b513ccba7e2a511b2667267359
SHA256

8f74d4186885e919ba7b7c06562f9237691fd736feeb6222470f38b7efdcc532
SHA512

b451c57bcb496657356f917eccba140b6d54edabf491c895ac804d815955abec547627e7e7cf4628b1cd6f10e289f84723187eb263024310d59dbb36d5fe1754

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3520 3892 WerFault.exe STATEMENT OF ACCOUNT - JULY 12.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3520 WerFault.exe
Token: SeBackupPrivilege 3520 WerFault.exe
Token: SeDebugPrivilege 3520 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe"
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1144
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3520-0-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3520-1-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download