fe41fe0b302887f61f20473015f386ab57ddb4cc278b3e1639c07337012a58f4 | Triage

Analysis

max time kernel
133s
max time network
136s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 13:32

Sharing

Report Analysis Logs

General

Target

FIRST PURCHASE ORDER.exe
Size

714KB
MD5

dbbac19cfd01ab4e759500a13168a30b
SHA1

71917c8765aaa6e2869cc1b949bfddf3580457c5
SHA256

fe41fe0b302887f61f20473015f386ab57ddb4cc278b3e1639c07337012a58f4
SHA512

caa08b928acff84a762f64c8c18c332db8f546d003085415560bdc265c3c90953d3e54da5e2031d188beca49e8c891966f8f8de66c8202928045acfd7d80d4ee

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	2564	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2168	WerFault.exe
Token: SeBackupPrivilege	2168	WerFault.exe
Token: SeDebugPrivilege	2168	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FIRST PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\FIRST PURCHASE ORDER.exe"
1⤵
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 908
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-0-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download