8e19aa41d4d9df55db350241ee00258f455501449ad3054c09b0ee7b148da430 | Triage

Analysis

max time kernel
131s
max time network
125s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:39

Sharing

Report Analysis Logs

General

Target

DHL Shipping Document_PDF.exe
Size

313KB
MD5

6f93148cc0b4a11464c0ad521de71b6f
SHA1

d81a93d5ae58848934211d3032833b775b8e1da4
SHA256

8e19aa41d4d9df55db350241ee00258f455501449ad3054c09b0ee7b148da430
SHA512

eb854e474e6c15f526baed5e0c6dd288498515eca1e1e44712a25d65b2f48ff318e1f07828590b0eda3f7134ded740f3abc360d0d887095d1dce37c7c418b0db

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3776 384 WerFault.exe DHL Shipping Document_PDF.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3776 WerFault.exe
Token: SeBackupPrivilege 3776 WerFault.exe
Token: SeDebugPrivilege 3776 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_PDF.exe"
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1136
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3776-0-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/3776-1-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download