f65a95bed4140f6398726aae98f0e08f22c68f08383bc125152eda3c39092ce3 | Triage

Analysis

max time kernel
130s
max time network
106s
platform
windows10_x64
resource
win10v200430
submitted
15/07/2020, 22:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Remittances...exe
Size

1.1MB
MD5

d17852024efc274e28b579bb149463e4
SHA1

e39e9b39b9335d0cd948f134721a378cadc78ec4
SHA256

f65a95bed4140f6398726aae98f0e08f22c68f08383bc125152eda3c39092ce3
SHA512

06a9f98c5fe8174a7f455d1c2677fbb1f24869582f3736f75fdc868f7226a5c6827cfaa105fe361803b8d72a882ec30ec4d441f3f41a84f9375204932d73a50e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	1600	WerFault.exe	67

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2828	WerFault.exe
Token: SeBackupPrivilege	2828	WerFault.exe
Token: SeDebugPrivilege	2828	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Remittances...exe
"C:\Users\Admin\AppData\Local\Temp\Remittances...exe"
1⤵
PID:1600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 940
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2828-0-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/2828-1-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download