8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32 | Triage

Analysis

max time kernel
67s
max time network
119s
platform
windows10_x64
resource
win10
submitted
10/07/2020, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

IMAGES-001-QUOTE REQUEST #21800176_354667485903 _09_07_2020PDF.exe
Size

504KB
MD5

c1b13db471da675d9887133f6de51d4d
SHA1

ee4185e2232581c17e45b5598a07a99f49887364
SHA256

8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32
SHA512

40076fb9f71a1c96be4883cc595a7cbee3da9701ad2633d20a31d125a19382ad14b43de18ff17eac96d211e2885137d61ee34065739c6b5967592a91c8050a65

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe
3812	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	3984	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3812	WerFault.exe
Token: SeBackupPrivilege	3812	WerFault.exe
Token: SeDebugPrivilege	3812	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\IMAGES-001-QUOTE REQUEST #21800176_354667485903 _09_07_2020PDF.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGES-001-QUOTE REQUEST #21800176_354667485903 _09_07_2020PDF.exe"
1⤵
PID:3984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 912
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3812-0-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/3812-1-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download