1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719 | Triage

Analysis

max time kernel
129s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
13/07/2020, 06:20

Sharing

Report Analysis Logs

General

Target

Pfz2O0m5k-july2020-RFQ.exe
Size

395KB
MD5

b6076c3f3c090e88a79b3ab2398cb2a5
SHA1

a88f5b2d7f7c9c9c1f015ed7c659656fa752df02
SHA256

1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719
SHA512

195b4e1ee8a7239d5d46cda19b43f17175ce1d7c25889d0a7152d4501c37f917baee8c9c27c91585eed139b42320d1fe0e5999166d47166fb01ae37025267a5b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	1500	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2808	WerFault.exe
Token: SeBackupPrivilege	2808	WerFault.exe
Token: SeDebugPrivilege	2808	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe"
1⤵
PID:1500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2808-0-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2808-1-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download