8be860472e72eae45034f553b53dc883fa99292a2b54ef2a57614fcf8e600790 | Triage

Analysis

max time kernel
119s
max time network
121s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 09:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FA2020.06.85569.DOCX.exe
Size

188KB
MD5

2698aef990026c034352cc9e5b6fb4f8
SHA1

29b12cb2e71ed287a1e4bdcab3b22ff500f74392
SHA256

8be860472e72eae45034f553b53dc883fa99292a2b54ef2a57614fcf8e600790
SHA512

f210c00727df295705facfd7f107ead737b1f77f55776916d8acb9d6b884333d29332a7b186b0ef27f02d9795bf81a4dc4f00c7edc9bb66164a70a88a5f60a6c

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4008	3608	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3608	FA2020.06.85569.DOCX.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	FA2020.06.85569.DOCX.exe
Token: SeRestorePrivilege	4008	WerFault.exe
Token: SeBackupPrivilege	4008	WerFault.exe
Token: SeDebugPrivilege	4008	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FA2020.06.85569.DOCX.exe
"C:\Users\Admin\AppData\Local\Temp\FA2020.06.85569.DOCX.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 940
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4008-0-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4008-1-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download