bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57 | Triage

Analysis

max time kernel
122s
max time network
124s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 06:34

Sharing

Report Analysis Logs

General

Target

Nuevo pedido 8974___pdf.exe
Size

556KB
MD5

c16e0d68c8eaf8a146ac8ac23c643c73
SHA1

b0e83b053d4383266c1d40421774ae623582be5f
SHA256

bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57
SHA512

bfe2a3fe90287ef3e9565dd95b81011ae235fb5ed4d42b46571e4dc7c530225fd51e1daad87b59ece564e9da73f6bc3bdfc1fd3340df1e28112fd8693a9967dc

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3820	976	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3820	WerFault.exe
Token: SeBackupPrivilege	3820	WerFault.exe
Token: SeDebugPrivilege	3820	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Nuevo pedido 8974___pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo pedido 8974___pdf.exe"
1⤵
PID:976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1144
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3820-0-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3820-1-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download