50bb1f29f0f8ed951bfa9f9d6dc45611765f20f683cdc2270c5a2c8b7dff1d3f | Triage

Analysis

max time kernel
65s
max time network
109s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:37

Sharing

Report Analysis Logs

General

Target

NEW ORDER INQUIRY.exe
Size

337KB
MD5

d8e2e042791b6f4c7ae28624d7a1de92
SHA1

5373277d7bc120b129897505b566e7e2d31543d1
SHA256

50bb1f29f0f8ed951bfa9f9d6dc45611765f20f683cdc2270c5a2c8b7dff1d3f
SHA512

2a44d414a10391919a68113657aa50eca22a1d0497f9ff1d8a48e078f70cbefec811e31eadbb1f57b2d893c72ac9e34d4b1a41dbd5698e0a17d7a5c5a8002f74

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3852 2532 WerFault.exe NEW ORDER INQUIRY.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3852 WerFault.exe
Token: SeBackupPrivilege 3852 WerFault.exe
Token: SeDebugPrivilege 3852 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\NEW ORDER INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER INQUIRY.exe"
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1144
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3852-0-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/3852-1-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download