b5cc8b2d62e6c2d6a9bf080c4c41e19295af7dae7230a63b7f6ad8def08e7ea2 | Triage

Analysis

max time kernel
142s
max time network
129s
platform
windows10_x64
resource
win10v200430
submitted
09-07-2020 06:38

Sharing

Report Analysis Logs

General

Target

Quotation Needed pdf.exe
Size

461KB
MD5

cc3ab2b9346d2a7bb4ce7b1dfaae02d1
SHA1

39454936e7f7945afd9b8cefe3ee87e4a0dcc97d
SHA256

b5cc8b2d62e6c2d6a9bf080c4c41e19295af7dae7230a63b7f6ad8def08e7ea2
SHA512

ac9117afad150ab5dc4b23e6e6716617c0510cf188f7958aaad570768d24473c6b545fbada835fa9cbbf2607a7ab8ac946691d1c9e3c4beca7c7cfc160e542e4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	968	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2252	WerFault.exe
Token: SeBackupPrivilege	2252	WerFault.exe
Token: SeDebugPrivilege	2252	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Quotation Needed pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation Needed pdf.exe"
1⤵
PID:968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2252-0-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download