d12fda0c8cf02474c474c6cbeba40591ba336a7fdf8d3f164493e5f6200f77ca | Triage

Analysis

max time kernel
136s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 04:29

Sharing

Report Analysis Logs

General

Target

ADMIS - vendor reg. form & purchase order documents.exe
Size

397KB
MD5

323b65d961b4f61ae420e4d4d602f7ba
SHA1

520dab5239e87b0b8704996dcfd66beea7f5ce2d
SHA256

d12fda0c8cf02474c474c6cbeba40591ba336a7fdf8d3f164493e5f6200f77ca
SHA512

28d3d1fadfd80244a3a17a0e2bbff33cccaedac032809d7a1b9841bbec31fdd7b38359a01d73758b05fdbefcf953ccbd84b3fb48ec288ccc1afedbb41eb60689

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2804	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2780	WerFault.exe
Token: SeBackupPrivilege	2780	WerFault.exe
Token: SeDebugPrivilege	2780	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ADMIS - vendor reg. form & purchase order documents.exe
"C:\Users\Admin\AppData\Local\Temp\ADMIS - vendor reg. form & purchase order documents.exe"
1⤵
PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-0-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2780-2-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download