0f2a2c10ccdece91433063d992b2a24a316db4e1f8d2dc8f6c532fe48e0e1946 | Triage

Analysis

max time kernel
84s
max time network
114s
platform
windows10_x64
resource
win10v200722
submitted
31-07-2020 10:55

Sharing

Report Analysis Logs

General

Target

Invoice po.exe
Size

502KB
MD5

336d033b63278f41d919d5e9944a9d9d
SHA1

cfa013de2ef8b542054068ab2aeaa584945634f5
SHA256

0f2a2c10ccdece91433063d992b2a24a316db4e1f8d2dc8f6c532fe48e0e1946
SHA512

bde06b6efde5a982d43f52b95532ba0f89d87cfe1c0c06f3e2757fdc792a7e5452906a8b5cb4f04322d33af43de0ad991465e97c789f4702f1e8fb34286394a3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3216 3888 WerFault.exe Invoice po.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3216 WerFault.exe
Token: SeBackupPrivilege 3216 WerFault.exe
Token: SeDebugPrivilege 3216 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Invoice po.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice po.exe"
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1172
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3216-0-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/3216-1-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download