ca38289752e799523d0031fd56900abe2f43d0c2c0eee48f010728c6a22959ff | Triage

Analysis

max time kernel
66s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
12-07-2020 08:02

Sharing

Report Analysis Logs

General

Target

Purchase Oder.exe
Size

430KB
MD5

baaf22c14b3b7f5a5a67d02abf6fce2f
SHA1

19da6834ac6d6a107ffb7623ba1147eb362e5db4
SHA256

ca38289752e799523d0031fd56900abe2f43d0c2c0eee48f010728c6a22959ff
SHA512

33d6d910d04a9ea6368ca652df791ff7d576c129befff5e03c1ca2f8bc78e30913e79629c850e141a70522bbd7e3d7e64a703e30487d56c67487b21111b2b2c2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2860 2916 WerFault.exe Purchase Oder.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2860 WerFault.exe
Token: SeBackupPrivilege 2860 WerFault.exe
Token: SeDebugPrivilege 2860 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Oder.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Oder.exe"
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1136
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2860-0-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download