f892f7e0b4bcfd9084ac791d72a87a95a16ca175a154faf0a2e24da5dd205bce | Triage

Analysis

max time kernel
65s
max time network
99s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 05:46

Sharing

Report Analysis Logs

General

Target

invoice.pdf.exe
Size

439KB
MD5

8e8165e74a734ef4504df4fc4b014f8d
SHA1

ce43b52541df7cdc3f4053d201517adb447005c9
SHA256

f892f7e0b4bcfd9084ac791d72a87a95a16ca175a154faf0a2e24da5dd205bce
SHA512

101124fe99affa3944d3fe225c1e3065548c2e0faff42dd58fcfbed295d91e41733a068e6a629aba91ad5c5258565cbd47f2f4544e10d8a418c7ae1edf5cb5f4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1828 1008 WerFault.exe invoice.pdf.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1828 WerFault.exe
Token: SeBackupPrivilege 1828 WerFault.exe
Token: SeDebugPrivilege 1828 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 912
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-0-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1828-2-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download