1debc399539d6dddfa7522dbf42b2ade7d0e56179588fae9f144301a84629e50 | Triage

Analysis

max time kernel
136s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
12-07-2020 08:12

Sharing

Report Analysis Logs

General

Target

Original invoice.exe
Size

799KB
MD5

903746d6c18aef7b3acbf91fb0b1ba11
SHA1

7712236e9d81cc5654023d7a21b0a518ea2b53d9
SHA256

1debc399539d6dddfa7522dbf42b2ade7d0e56179588fae9f144301a84629e50
SHA512

794e32b00aeda08552e8c05a94ded42b135f605d86dfe0d9d8f4cdbc0630226d1f957913d555f50efc638499aa75c8cad924cf1158bb96f9232d29fe0b4eb18a

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 3184 WerFault.exe Original invoice.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2484 WerFault.exe
Token: SeBackupPrivilege 2484 WerFault.exe
Token: SeDebugPrivilege 2484 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Original invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Original invoice.exe"
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1144
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-0-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2484-2-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download