ee2a89fa1ed80e14eb7fc1a74780d480c574307d0d40aac90c22e8ab7d8b9332 | Triage

Analysis

max time kernel
65s
max time network
116s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:43

Sharing

Report Analysis Logs

General

Target

RFQ PO-05612020_pdf.exe
Size

351KB
MD5

1b752bcc97d601f051ee22881b4ae85c
SHA1

6a94e417c140c64bb2d45955eba08efe72cc89e5
SHA256

ee2a89fa1ed80e14eb7fc1a74780d480c574307d0d40aac90c22e8ab7d8b9332
SHA512

657f470688c9b4ba1756be778991fd7dec0ca18f24e1ef04686101461269d4c1a43107ee80e3ea646137ff4e8d33ae06b617f36736f9ef3170ce43552fe45868

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3804 3588 WerFault.exe RFQ PO-05612020_pdf.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3804 WerFault.exe
Token: SeBackupPrivilege 3804 WerFault.exe
Token: SeDebugPrivilege 3804 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe"
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1140
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3804-0-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3804-1-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download