029905c8789b5194e3f20a0a818bbd8922d113ce41ac880fe44f56d39b6a6356 | Triage

Analysis

max time kernel
66s
max time network
110s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:29

Sharing

Report Analysis Logs

General

Target

NewyorkUSA-hsbc - confirmation.exe
Size

484KB
MD5

24e4040b9a02c8cc8a96ac685cc15bd2
SHA1

1600fc7708ea4f7ca0f0d310362a8862700d1fdd
SHA256

029905c8789b5194e3f20a0a818bbd8922d113ce41ac880fe44f56d39b6a6356
SHA512

9e923595ffc60174755ce69216f57048ffadc3bd09b6dd628b916f202104154ce02d39b4710ae07a43267036b09f07741556f5a8d1b081c6c3e96b4111ae6d24

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3968	2976	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe
3968	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3968	WerFault.exe
Token: SeBackupPrivilege	3968	WerFault.exe
Token: SeDebugPrivilege	3968	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\NewyorkUSA-hsbc - confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\NewyorkUSA-hsbc - confirmation.exe"
1⤵
PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1136
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3968-0-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/3968-1-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download