98b003566db6017d0284210e27d136a58b89bac6d253b27cbdd99f2037ba581f | Triage

Analysis

max time kernel
147s
max time network
69s
platform
windows10_x64
resource
win10v200430
submitted
30-06-2020 12:03

Sharing

Report Analysis Logs

General

Target

eInvoicing_pdf.exe
Size

576KB
MD5

e594c02c881005eadcb788388aff6c5f
SHA1

0f31c21f87b03662e75613631ecee68054b3aab0
SHA256

98b003566db6017d0284210e27d136a58b89bac6d253b27cbdd99f2037ba581f
SHA512

8c39729165bb537b3c58820311b04811852a620308427f4d6de58caaa460ac1688029995c443b7a6c761fb58e24dacef5e1914d200b859f758e9f18c1cec5a85

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

588 3692 WerFault.exe eInvoicing_pdf.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

eInvoicing_pdf.exeWerFault.exe

pid	process
3692	eInvoicing_pdf.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

eInvoicing_pdf.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3692	eInvoicing_pdf.exe
Token: SeRestorePrivilege	588	WerFault.exe
Token: SeBackupPrivilege	588	WerFault.exe
Token: SeDebugPrivilege	588	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\eInvoicing_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\eInvoicing_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 928
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-0-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/588-1-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download