420541ff7ab7f97d2110f9c2f2488087c0d2f9e577fa5e55c73eebf4f5416bbc | Triage

Analysis

max time kernel
130s
max time network
125s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:27

Sharing

Report Analysis Logs

General

Target

purchase order.exe
Size

790KB
MD5

3c55253fc699ca4f3aa7b5f39796e82c
SHA1

85be2e70b90bbefdb191cd5440c9519772755402
SHA256

420541ff7ab7f97d2110f9c2f2488087c0d2f9e577fa5e55c73eebf4f5416bbc
SHA512

bedb39cfab073dfce9e12488818d20381e48ec33cbfe30c53f5e1679b439b261c65cbf448f1a6d616c74f337f0dbcfd70194b141abc2399eed703210e0b1e297

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3780	2916	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3780	WerFault.exe
Token: SeBackupPrivilege	3780	WerFault.exe
Token: SeDebugPrivilege	3780	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"
1⤵
PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1144
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3780-0-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3780-1-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3780-2-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download