1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719 | Triage

Analysis

max time kernel
129s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 06:20

Sharing

Report Analysis Logs

General

Target

Pfz2O0m5k-july2020-RFQ.exe
Size

395KB
MD5

b6076c3f3c090e88a79b3ab2398cb2a5
SHA1

a88f5b2d7f7c9c9c1f015ed7c659656fa752df02
SHA256

1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719
SHA512

195b4e1ee8a7239d5d46cda19b43f17175ce1d7c25889d0a7152d4501c37f917baee8c9c27c91585eed139b42320d1fe0e5999166d47166fb01ae37025267a5b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2808 1500 WerFault.exe Pfz2O0m5k-july2020-RFQ.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2808 WerFault.exe
Token: SeBackupPrivilege 2808 WerFault.exe
Token: SeDebugPrivilege 2808 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\Pfz2O0m5k-july2020-RFQ.exe"
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2808-0-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2808-1-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download