77a9c4057f03eb0f38ff4700c6c0c9f6f8557790c03bf5bbe5242f5fb84de8ee | Triage

Analysis

max time kernel
126s
max time network
149s
platform
windows10_x64
resource
win10v200430
submitted
13/07/2020, 13:33

Sharing

Report Analysis Logs

General

Target

Order_Dubai Branch.exe
Size

687KB
MD5

9b859410e9e81f379a232e650ac394ac
SHA1

a07950874065f443322a51526dc1347c23612606
SHA256

77a9c4057f03eb0f38ff4700c6c0c9f6f8557790c03bf5bbe5242f5fb84de8ee
SHA512

a5db505909072fe5e0e4335991a6c5deafc026f13f8e61b92604846bc17bfbdde37ed63eacec1b4af64f15842edd25c21bde626ee5ea2b53dcbdf7875a7cbeb2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3692	1628	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3692	WerFault.exe
Token: SeBackupPrivilege	3692	WerFault.exe
Token: SeDebugPrivilege	3692	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Order_Dubai Branch.exe
"C:\Users\Admin\AppData\Local\Temp\Order_Dubai Branch.exe"
1⤵
PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3692-0-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/3692-1-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download