f71131394d99b86b0a3103691f80345859a273bc8a0c6c83e7629b28de1d922e | Triage

Analysis

max time kernel
120s
max time network
147s
platform
windows10_x64
resource
win10
submitted
09-07-2020 06:34

Sharing

Report Analysis Logs

General

Target

Quotation 76640.Scan.pdf...exe
Size

798KB
MD5

381fb41c036095c3e98a9fa0f2103969
SHA1

1fcb1e3cae11b476f54d5148c83a8a0a1a3f75db
SHA256

f71131394d99b86b0a3103691f80345859a273bc8a0c6c83e7629b28de1d922e
SHA512

42cb37fd9938e7a12a8eb80c100fb61a25d1d5993fa696b8d59a609444cd9682ff659d1d7bfdfe987f6eec8a380550c705c5700ebd5108bade4cd0743b566b4d

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3348 3632 WerFault.exe Quotation 76640.Scan.pdf...exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3348 WerFault.exe
Token: SeBackupPrivilege 3348 WerFault.exe
Token: SeDebugPrivilege 3348 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe
3348	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Quotation 76640.Scan.pdf...exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 76640.Scan.pdf...exe"
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1148
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3348-0-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/3348-1-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download