a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42 | Triage

Analysis

max time kernel
135s
max time network
136s
platform
windows10_x64
resource
win10
submitted
07-07-2020 09:49

Sharing

Report Analysis Logs

General

Target

Remittance Advice Copy.pdf.exe
Size

407KB
MD5

6b5336f1d7c2b76f1ef01955efb37319
SHA1

fdf5963190fcb5e95bd72a321974c76bf3c3097b
SHA256

a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42
SHA512

c8868b27013cef64d7e6ac0d42853f8a812abc998d6af4b41ad871735b9c48d85ad2da510ebcf3fb3af2e06a20afacb242fd2470d0e406d4304e5ef3beb3afdd

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3500 3060 WerFault.exe Remittance Advice Copy.pdf.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3500 WerFault.exe
Token: SeBackupPrivilege 3500 WerFault.exe
Token: SeDebugPrivilege 3500 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe"
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1128
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3500-0-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3500-1-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download