d62fb8c1085745bba5628a442571a54b7225f4496ad27f572798739195ebedc3 | Triage

Analysis

max time kernel
121s
max time network
117s
platform
windows10_x64
resource
win10
submitted
16/07/2020, 06:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Bank Swift-Copy.exe
Size

521KB
MD5

dbf83f5c86a0331c038bcb65a76c80f7
SHA1

26193900e2af3ec27f1163dd660b60b5a5420840
SHA256

d62fb8c1085745bba5628a442571a54b7225f4496ad27f572798739195ebedc3
SHA512

b34412564ad308a77ee1b253f5b80be80179eb1c00f032ca2b6cd63eb069afe38beb820478bc01129a3ae833d0f484900475171f4c4c55c98a1a56c5a5349828

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	3356	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2892	WerFault.exe
Token: SeBackupPrivilege	2892	WerFault.exe
Token: SeDebugPrivilege	2892	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Bank Swift-Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Swift-Copy.exe"
1⤵
PID:3356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 908
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2892-0-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2892-1-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download