a4d604ac931839ec691dccc2474d80bf2f826693d4ce914a161a484288ebe20a | Triage

Analysis

max time kernel
125s
max time network
126s
platform
windows10_x64
resource
win10
submitted
16-07-2020 06:33

Sharing

Report Analysis Logs

General

Target

RFQ.exe
Size

569KB
MD5

105cc34e0dcb56a0bb61374f2e6eaae6
SHA1

5e9dc5c0907fd3d4d3d3debc923b1715881da818
SHA256

a4d604ac931839ec691dccc2474d80bf2f826693d4ce914a161a484288ebe20a
SHA512

6133b8dc30fd532d585032acf515f49dce624139411a0c1879bd10a582a104743feed8d3c71523360c0e37d4bc5cc3141c7e1f0bc98f141010a7b127a20d6384

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3864	2460	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3864	WerFault.exe
Token: SeBackupPrivilege	3864	WerFault.exe
Token: SeDebugPrivilege	3864	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 912
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3864-0-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/3864-1-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download