ee2a89fa1ed80e14eb7fc1a74780d480c574307d0d40aac90c22e8ab7d8b9332 | Triage

Analysis

max time kernel
65s
max time network
116s
platform
windows10_x64
resource
win10
submitted
13/07/2020, 06:43

Sharing

Report Analysis Logs

General

Target

RFQ PO-05612020_pdf.exe
Size

351KB
MD5

1b752bcc97d601f051ee22881b4ae85c
SHA1

6a94e417c140c64bb2d45955eba08efe72cc89e5
SHA256

ee2a89fa1ed80e14eb7fc1a74780d480c574307d0d40aac90c22e8ab7d8b9332
SHA512

657f470688c9b4ba1756be778991fd7dec0ca18f24e1ef04686101461269d4c1a43107ee80e3ea646137ff4e8d33ae06b617f36736f9ef3170ce43552fe45868

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3804	3588	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3804	WerFault.exe
Token: SeBackupPrivilege	3804	WerFault.exe
Token: SeDebugPrivilege	3804	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe"
1⤵
PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1140
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3804-0-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3804-1-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download