3dedd27d28463b27df577e2f0dad58c1a0f295dbbcb1f132eea1632080dc4508 | Triage

Analysis

max time kernel
141s
max time network
144s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 08:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Original Inv_pdf.exe
Size

684KB
MD5

f576d36525a3fc0eb2db943f79f50dc2
SHA1

d5bbe2244b843982dc4e8ff33758668f3e667248
SHA256

3dedd27d28463b27df577e2f0dad58c1a0f295dbbcb1f132eea1632080dc4508
SHA512

450e0146e8dc442f31aae5f4ec831cb985ed9aa045f1a111a7ba1d981c6e03d1499c63c911479b1de92859762ef05530be43bd29753691580300fcf7ba3043e0

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3620	3908	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3908	Original Inv_pdf.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe
3620	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	Original Inv_pdf.exe
Token: SeRestorePrivilege	3620	WerFault.exe
Token: SeBackupPrivilege	3620	WerFault.exe
Token: SeDebugPrivilege	3620	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Original Inv_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Original Inv_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 944
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3620-0-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/3620-1-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download