91ec8e2e85917775a7055500c887bf49371679f772bd917c69dfb2b628f4a680 | Triage

Analysis

max time kernel
138s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
16/07/2020, 07:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FedEx's AWB#5305323204643 (2).exe
Size

504KB
MD5

4b64df0df55645e1fda431e95191f770
SHA1

545c5fc62283efdc09c1a2a8e62e43f9035c8b03
SHA256

91ec8e2e85917775a7055500c887bf49371679f772bd917c69dfb2b628f4a680
SHA512

989b3800256663be9b78c5317d6d360cb8b6274189b6ea1755db07bc28da7cc48763165d0a2e53d145bb966a7b34085ef4f9306a5758974d19b7eb77cdfa9787

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3936	992	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3936	WerFault.exe
Token: SeBackupPrivilege	3936	WerFault.exe
Token: SeDebugPrivilege	3936	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FedEx's AWB#5305323204643 (2).exe
"C:\Users\Admin\AppData\Local\Temp\FedEx's AWB#5305323204643 (2).exe"
1⤵
PID:992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 908
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3936-0-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/3936-1-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download