0862113a4573fd34c6c79f11e749f22f95ed3b319c353cf08d9eaf880901934c | Triage

Analysis

max time kernel
66s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
16/07/2020, 08:36

Sharing

Report Analysis Logs

General

Target

QUOTATION.exe
Size

571KB
MD5

0014895addcda048f510946585b2094e
SHA1

f161dd07b414a1c1d553ed71f2e5d74fbdeb120a
SHA256

0862113a4573fd34c6c79f11e749f22f95ed3b319c353cf08d9eaf880901934c
SHA512

8291729ad4033c10893e938648548b87b0eb931a93e26df63985e2790786e872c1be26fea5158a80bb78d95453c674afed5e421368740a59d89ebb71dfca2002

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3444	504	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3444	WerFault.exe
Token: SeBackupPrivilege	3444	WerFault.exe
Token: SeDebugPrivilege	3444	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
1⤵
PID:504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 924
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3444-0-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3444-1-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3444-3-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download