186d876a0f3218b1bcc27510279c83dc985f71ac56f99ed2ca863613527acd03 | Triage

Analysis

max time kernel
64s
max time network
68s
platform
windows10_x64
resource
win10v200430
submitted
30-06-2020 12:43

Sharing

Report Analysis Logs

General

Target

eInvoicing_pdf.exe
Size

599KB
MD5

be80e2bfd8155e17c6d71da2b2d14bf8
SHA1

ba8d0ff3ed80326ca54fb0241da277c4b506274a
SHA256

186d876a0f3218b1bcc27510279c83dc985f71ac56f99ed2ca863613527acd03
SHA512

84231a6599c09943f5312a9a39ed631558c245bc2c97264447b46826eda2f6c3e18046a4db094102ba81f21dec79a8acedd2dc66436e57f3fca5bfc2fd1dd3cc

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

516 2564 WerFault.exe eInvoicing_pdf.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

eInvoicing_pdf.exeWerFault.exe

pid	process
2564	eInvoicing_pdf.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe
516	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

eInvoicing_pdf.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2564	eInvoicing_pdf.exe
Token: SeRestorePrivilege	516	WerFault.exe
Token: SeBackupPrivilege	516	WerFault.exe
Token: SeDebugPrivilege	516	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\eInvoicing_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\eInvoicing_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 924
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-0-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/516-1-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download