816ba0410d3765fad3ab66a6a1b9656e8c0c84a3387611f491be6ac7bad99ed1 | Triage

Analysis

max time kernel
147s
max time network
99s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 12:06

Sharing

Report Analysis Logs

General

Target

SCAN#DHL-PDF1822.exe
Size

544KB
MD5

96212af51809372d313ce7fb9d650ccd
SHA1

38a781f245fbc5d4d4962fe69afbf81b0ea1f212
SHA256

816ba0410d3765fad3ab66a6a1b9656e8c0c84a3387611f491be6ac7bad99ed1
SHA512

7b2c87d2e22ce284180fa50c9ff35580a1c96f940668452605dc05294ad1d013ff20c87a33b1f5ec63ce9ef011c993a09bf2212bb0bf3351de9bc8fcba8174a0

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2496	3692	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe
2496	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2496	WerFault.exe
Token: SeBackupPrivilege	2496	WerFault.exe
Token: SeDebugPrivilege	2496	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SCAN#DHL-PDF1822.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN#DHL-PDF1822.exe"
1⤵
PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2496-0-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2496-3-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download