be905b9aac897739d22c1078e60be1111efc7a9ec25e205d664e03a59730dbea | Triage

Analysis

max time kernel
126s
max time network
151s
platform
windows10_x64
resource
win10v200430
submitted
16/07/2020, 05:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Purchase-Order.exe
Size

1.1MB
MD5

4f23660dde9df05e7429c970ce9027cc
SHA1

d57c4ca2e01422400df57f2e4610dc9ebdcde4f0
SHA256

be905b9aac897739d22c1078e60be1111efc7a9ec25e205d664e03a59730dbea
SHA512

69cf95ac1c0a7a78caa26eefec4f5da1e6117284a1c0585341381a56076e7b235e73b5718f9e119767e71f2e10713a7637866b0ddf6ac3b89d5642b4d1ed12da

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3604	1628	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe
3604	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3604	WerFault.exe
Token: SeBackupPrivilege	3604	WerFault.exe
Token: SeDebugPrivilege	3604	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Purchase-Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase-Order.exe"
1⤵
PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 948
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3604-0-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3604-1-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download