e803f10811608ea8e2179185e8c334b22b71097e3a7ec5b56909e3779834ed9b | Triage

Analysis

max time kernel
90s
max time network
92s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 11:23

Sharing

Report Analysis Logs

General

Target

doc.exe
Size

679KB
MD5

c1937217fef2842a39e32e44bc031a05
SHA1

f2a06669e006d5040a1c432b7338e0c2cc046456
SHA256

e803f10811608ea8e2179185e8c334b22b71097e3a7ec5b56909e3779834ed9b
SHA512

0a73042243d2f7958fb7187f65bd1cb8e4eb289bb1cecadbcb57ed0e95cc8da7a148efc179bea355bf7192afe440ce4f36dd2dbb886178b3e3a2cdbbb540a0b8

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1708	2564	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2564	doc.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	doc.exe
Token: SeRestorePrivilege	1708	WerFault.exe
Token: SeBackupPrivilege	1708	WerFault.exe
Token: SeDebugPrivilege	1708	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\doc.exe
"C:\Users\Admin\AppData\Local\Temp\doc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1252
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-0-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1708-1-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download