17a6ef291331acb9fc408450a61d0aabd3db01fcea33592c32c6d955f7d35d19 | Triage

Analysis

max time kernel
126s
max time network
150s
platform
windows10_x64
resource
win10v200430
submitted
12/07/2020, 04:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

INV-DOCUMENTS_2019EA1120.PDF.exe
Size

455KB
MD5

5fabcf20e6b192a9a83162a307a92f66
SHA1

fef4bfa9b539c4a227dca23f53a080253f8e9730
SHA256

17a6ef291331acb9fc408450a61d0aabd3db01fcea33592c32c6d955f7d35d19
SHA512

cab16c5c93d0c746d2e68665264b21dcf179b8a0a5ee9c6a5e33e9060382a6f25e08accef6f9d2f98fae44e3fde8918fba3830f0c5648042c481e557986085fa

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4060	1612	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4060	WerFault.exe
Token: SeBackupPrivilege	4060	WerFault.exe
Token: SeDebugPrivilege	4060	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\INV-DOCUMENTS_2019EA1120.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\INV-DOCUMENTS_2019EA1120.PDF.exe"
1⤵
PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-0-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4060-1-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download