Analysis
-
max time kernel
70s -
max time network
97s -
platform
windows10_x64 -
resource
win10 -
submitted
10-07-2020 09:29
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER_PDF____________________________________,,,.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PURCHASE ORDER_PDF____________________________________,,,.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
PURCHASE ORDER_PDF____________________________________,,,.exe
-
Size
422KB
-
MD5
4f06e6718d72fa923363b59a6268e008
-
SHA1
f8c9c70f255c8e7813f1923a55f01c7ff4276d7e
-
SHA256
6cef6b24f9c34ef5503ed6ba52ded7847882e7599bd39954ff9d3409042eeb74
-
SHA512
92f78a861c6c66e8ddfee75a475226ed09e6200b78353725759c560f846e670b3b926db8bc873df0adc2ea2a5ad03937c640081295c8cd1d9a03b7c4300972bc
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3896 3888 WerFault.exe PURCHASE ORDER_PDF____________________________________,,,.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3896 WerFault.exe Token: SeBackupPrivilege 3896 WerFault.exe Token: SeDebugPrivilege 3896 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER_PDF____________________________________,,,.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER_PDF____________________________________,,,.exe"1⤵PID:3888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 9122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3896