ca38289752e799523d0031fd56900abe2f43d0c2c0eee48f010728c6a22959ff | Triage

Analysis

max time kernel
66s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
12/07/2020, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Purchase Oder.exe
Size

430KB
MD5

baaf22c14b3b7f5a5a67d02abf6fce2f
SHA1

19da6834ac6d6a107ffb7623ba1147eb362e5db4
SHA256

ca38289752e799523d0031fd56900abe2f43d0c2c0eee48f010728c6a22959ff
SHA512

33d6d910d04a9ea6368ca652df791ff7d576c129befff5e03c1ca2f8bc78e30913e79629c850e141a70522bbd7e3d7e64a703e30487d56c67487b21111b2b2c2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2860	2916	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2860	WerFault.exe
Token: SeBackupPrivilege	2860	WerFault.exe
Token: SeDebugPrivilege	2860	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Oder.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Oder.exe"
1⤵
PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1136
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2860-0-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download