d7edec42151eb4762b265be6014bd7f391c948406a46a9f997337e2b80424193 | Triage

Analysis

max time kernel
135s
max time network
69s
platform
windows10_x64
resource
win10v200430
submitted
08/07/2020, 05:16

Sharing

Report Analysis Logs

General

Target

DOC927-TT823-2837_pdf.exe
Size

222KB
MD5

4fa3f61b3082f60f2b1be0408900bfea
SHA1

4b051e7c9db390c13d1fd297518986fcfdd9f09c
SHA256

d7edec42151eb4762b265be6014bd7f391c948406a46a9f997337e2b80424193
SHA512

ecf6623e7e9a20f08cf3ae2f8da5e51b6047fe5613c2ef7c99db7d98e8bb3d6cf51c81475db194e3d380c69b64bb2197fe343914f766068a5439729e69a1a218

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2600	1516	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2600	WerFault.exe
Token: SeBackupPrivilege	2600	WerFault.exe
Token: SeDebugPrivilege	2600	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DOC927-TT823-2837_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DOC927-TT823-2837_pdf.exe"
1⤵
PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1144
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2600-0-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/2600-1-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download