f892f7e0b4bcfd9084ac791d72a87a95a16ca175a154faf0a2e24da5dd205bce | Triage

Analysis

max time kernel
65s
max time network
99s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 05:46

Sharing

Report Analysis Logs

General

Target

invoice.pdf.exe
Size

439KB
MD5

8e8165e74a734ef4504df4fc4b014f8d
SHA1

ce43b52541df7cdc3f4053d201517adb447005c9
SHA256

f892f7e0b4bcfd9084ac791d72a87a95a16ca175a154faf0a2e24da5dd205bce
SHA512

101124fe99affa3944d3fe225c1e3065548c2e0faff42dd58fcfbed295d91e41733a068e6a629aba91ad5c5258565cbd47f2f4544e10d8a418c7ae1edf5cb5f4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1828	1008	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1828	WerFault.exe
Token: SeBackupPrivilege	1828	WerFault.exe
Token: SeDebugPrivilege	1828	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
1⤵
PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 912
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-0-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1828-2-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download