7910fbd27cb1e4fd04a3356d45036821ed924ef1b8de3117d677be4938cb5140 | Triage

Analysis

max time kernel
147s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 07:12

Sharing

Report Analysis Logs

General

Target

order list.exe
Size

296KB
MD5

76bb6a33ec5f8f6bd9defe4341871e98
SHA1

0ec9277d8c2e410440485c7cd2202ef877d49230
SHA256

7910fbd27cb1e4fd04a3356d45036821ed924ef1b8de3117d677be4938cb5140
SHA512

806dade1f74874d3c6cb3acdabee50ebc3a6cd4927d57e83e7136b448fe0a207a3a0e440be3668b2116e2043452cf1f0327aedc1e7542a7e8684b53eda7d10d9

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2200 3768 WerFault.exe order list.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2200 WerFault.exe
Token: SeBackupPrivilege 2200 WerFault.exe
Token: SeDebugPrivilege 2200 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\order list.exe
"C:\Users\Admin\AppData\Local\Temp\order list.exe"
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1140
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-0-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2200-3-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download