9a53f9cbf04e13a0df2cfa0869356a9772ef9bb92a87303661c27031f682bd10 | Triage

Analysis

max time kernel
68s
max time network
116s
platform
windows10_x64
resource
win10
submitted
13/07/2020, 11:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BL Draft Copy shipping Documents .exe
Size

325KB
MD5

0299adcd27d62af62ef8342bd71e205e
SHA1

de7978bf877f57671cb65b25aa29d9e780fbc67a
SHA256

9a53f9cbf04e13a0df2cfa0869356a9772ef9bb92a87303661c27031f682bd10
SHA512

3d97e0f73d52e1a1e92d8ad576e05fff411a1ee3d18577dfd045b2108147528e7cb3ad5764afc37e6fd10229e39ff5c9e5060d113f57b79e8181292343209c6e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3864	2728	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3864	WerFault.exe
Token: SeBackupPrivilege	3864	WerFault.exe
Token: SeDebugPrivilege	3864	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\BL Draft Copy shipping Documents .exe
"C:\Users\Admin\AppData\Local\Temp\BL Draft Copy shipping Documents .exe"
1⤵
PID:2728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3864-0-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download