127d38ba33a67b3fa64e954d209cd9276b5d548462cd47cc3abafa8192073bab | Triage

Analysis

max time kernel
109s
max time network
131s
platform
windows10_x64
resource
win10v200430
submitted
15-07-2020 13:43

Sharing

Report Analysis Logs

General

Target

RFQ.exe
Size

1.5MB
MD5

969a8477f79fde1151cb063057cc0d8b
SHA1

9bf8a7944db8aeeaad3fb2066efbd523059ee965
SHA256

127d38ba33a67b3fa64e954d209cd9276b5d548462cd47cc3abafa8192073bab
SHA512

cc071fef67e27b40c981684284b607aba5db1457ce7f9ae8ba1cc0ce615f8f865a328e64dbb87efb3d40b2308188c47933e0e9214eb6457a434cf149d104456a

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	988	WerFault.exe
Token: SeBackupPrivilege	988	WerFault.exe
Token: SeDebugPrivilege	988	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
988	2416	WerFault.exe	67

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 936
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-0-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/988-1-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/988-3-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download