6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89 | Triage

Analysis

max time kernel
131s
max time network
126s
platform
windows10_x64
resource
win10
submitted
16-07-2020 18:33

Sharing

Report Analysis Logs

General

Target

payment Slip.exe
Size

824KB
MD5

f2dc2472943a80a1adb493cefc36235a
SHA1

0288a2c724051d6f42784b84dbb5cae170144358
SHA256

6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89
SHA512

9ed2ee019ad571e2fe601bb78d5a4f6228734c551db00dafe2eb6752fdf20970b24306a2b60579c2bb4e63b519a4893d1ea4500bb93e42789eda045e067e02a4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	384	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1940	WerFault.exe
Token: SeBackupPrivilege	1940	WerFault.exe
Token: SeDebugPrivilege	1940	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"
1⤵
PID:384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 908
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-0-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/1940-1-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download