d0b71fdf377abca1c191fedeab8311dac158632edb66f3b894166686d61bfad6 | Triage

Analysis

max time kernel
117s
max time network
120s
platform
windows10_x64
resource
win10
submitted
17/07/2020, 17:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Request Quotation.exe
Size

759KB
MD5

9fb2846dca4accdd1c4fcaf212e1c6f6
SHA1

b49cfbe4a19d7ab3ee7d1a33425ccc822bba3d2e
SHA256

d0b71fdf377abca1c191fedeab8311dac158632edb66f3b894166686d61bfad6
SHA512

9ae52ef0f49c06e650c2ede614b6ff5f3a2b6de5cc18b892c5cf72bd583a4919f160ad4c30cac8a126fdaf1e3066a7a674e471138dc70213268f597227e81616

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3872	4092	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3872	WerFault.exe
Token: SeBackupPrivilege	3872	WerFault.exe
Token: SeDebugPrivilege	3872	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"
1⤵
PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 924
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3872-0-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3872-1-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download