e0946b05635011f81ce5534b1d49bec2dd2cb184af87c7ebea2f55d91e0a07cf | Triage

Analysis

max time kernel
126s
max time network
149s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 17:30

Sharing

Report Analysis Logs

General

Target

RFQ 2O8372929_PDF.exe
Size

553KB
MD5

4239c1115b482a8cf2d015480e6e54b0
SHA1

9c85da548aaaef07e9a4f0f00534a869b8e60bd1
SHA256

e0946b05635011f81ce5534b1d49bec2dd2cb184af87c7ebea2f55d91e0a07cf
SHA512

d1db3625db842984c2aba9266590e0dcaa1b3946fb0df4173f041b4d1407e952d65d347f727cc4a0f4e5ccf9467e7142395655ba9f615d6e4b8f4e92fb6458d3

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4060	1628	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4060	WerFault.exe
Token: SeBackupPrivilege	4060	WerFault.exe
Token: SeDebugPrivilege	4060	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 2O8372929_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 2O8372929_PDF.exe"
1⤵
PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 920
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-0-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/4060-1-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/4060-2-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download