faf12b61374c5f5dff73afa0f1b4084561118358e77ddd44632ba7f40a37ad38 | Triage

Analysis

max time kernel
146s
max time network
139s
platform
windows10_x64
resource
win10v200722
submitted
31-07-2020 11:02

Sharing

Report Analysis Logs

General

Target

Pagamento dell'estratto conto [REF0000360261].exe
Size

815KB
MD5

8b68c742a444062ca535c783116988b9
SHA1

8f54bc2727c6f41236de25eebb9e0868ec57d527
SHA256

faf12b61374c5f5dff73afa0f1b4084561118358e77ddd44632ba7f40a37ad38
SHA512

b9db3d3023be1b8bd4465f2b84d702356510c87bee199b868d070fcf2eb18e960d52513831ae646d5d04a29e0ac888d2ea399ebc14dbebd8c19e5186edb42ba5

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2812 3956 WerFault.exe Pagamento dell'estratto conto [REF0000360261].exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2812 WerFault.exe
Token: SeBackupPrivilege 2812 WerFault.exe
Token: SeDebugPrivilege 2812 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Pagamento dell'estratto conto [REF0000360261].exe
"C:\Users\Admin\AppData\Local\Temp\Pagamento dell'estratto conto [REF0000360261].exe"
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1172
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-0-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2812-1-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download