245dab3947c242814248eb6b3fa73560d4082082fc536f9d042c7f41ea99e9c4 | Triage

Analysis

max time kernel
110s
max time network
112s
platform
windows10_x64
resource
win10
submitted
29-07-2020 05:23

Sharing

Report Analysis Logs

General

Target

INQUIRY - 1.exe
Size

566KB
MD5

1eb47fc33521f1d2048f1f711c2d397e
SHA1

81aadf114b034d534cf41468a57d72c0513b8c5d
SHA256

245dab3947c242814248eb6b3fa73560d4082082fc536f9d042c7f41ea99e9c4
SHA512

a781bab0c017e475a7063520e2043854d00d1384aa9209f432d516ddee632f601b5366c290db60fd88dff0aca11204efbdf8a0a0a1c884657cd91a1f977e8288

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3796	3832	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3796	WerFault.exe
Token: SeBackupPrivilege	3796	WerFault.exe
Token: SeDebugPrivilege	3796	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY - 1.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY - 1.exe"
1⤵
PID:3832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 900
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3796-0-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3796-1-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download