ff4bcfd3663088b0e8fed48b19bf950f8a6680fea9d3b0a478ac1fbfbcefeeef | Triage

Analysis

max time kernel
76s
max time network
116s
platform
windows10_x64
resource
win10
submitted
08-07-2020 06:39

Sharing

Report Analysis Logs

General

Target

RFP_NDT_ServicesandEquipments_Proposal_Project_dwg.exe
Size

797KB
MD5

d9a372fd1f0401897210599c330124b6
SHA1

570eff9c5b310ef0a577804be2ab2dcf470a139f
SHA256

ff4bcfd3663088b0e8fed48b19bf950f8a6680fea9d3b0a478ac1fbfbcefeeef
SHA512

6df19c26284e5aa2951692ecdeb59ce7cb4861b181c468857be58c51344a2807450337ca1c8e3539422d44cb8939f169b7bf1b957aff0e7e7bf7995876a4a928

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	2920	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1940	WerFault.exe
Token: SeBackupPrivilege	1940	WerFault.exe
Token: SeDebugPrivilege	1940	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFP_NDT_ServicesandEquipments_Proposal_Project_dwg.exe
"C:\Users\Admin\AppData\Local\Temp\RFP_NDT_ServicesandEquipments_Proposal_Project_dwg.exe"
1⤵
PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1148
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-0-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1940-1-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download