c1a4b17148c88714a70ed5274137b99994ee50d5ec98041249aa4925a4528b72 | Triage

Analysis

max time kernel
127s
max time network
130s
platform
windows10_x64
resource
win10
submitted
29-07-2020 05:38

Sharing

Report Analysis Logs

General

Target

AWB Incoming (ETA 0807 G.W 18.60 kgnet ) Delivery from GUMTEC-KOREA.exe
Size

432KB
MD5

90f5e1b5dc5acd24ca59661754b3f288
SHA1

3c281ca35b555493ae9d2fa63e2ae116e5b336fc
SHA256

c1a4b17148c88714a70ed5274137b99994ee50d5ec98041249aa4925a4528b72
SHA512

7bbb738677638123faf8b25b75020aaf44dfa3b133d93ed8d8bc914e488a678dc5fe14444a0fd3424657192babeec89a3494fc0a9d2062e7946f904ea4e95cbe

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3520	WerFault.exe
Token: SeBackupPrivilege	3520	WerFault.exe
Token: SeDebugPrivilege	3520	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe
3520	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3520	2880	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\AWB Incoming (ETA 0807 G.W 18.60 kgnet ) Delivery from GUMTEC-KOREA.exe
"C:\Users\Admin\AppData\Local\Temp\AWB Incoming (ETA 0807 G.W 18.60 kgnet ) Delivery from GUMTEC-KOREA.exe"
1⤵
PID:2880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 900
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3520-0-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3520-1-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3520-2-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download