6a9263966518a0954d30630177c32a28fa2dc297e154cc453d964034374b1009 | Triage

Analysis

max time kernel
131s
max time network
126s
platform
windows10_x64
resource
win10
submitted
13-07-2020 13:37

Sharing

Report Analysis Logs

General

Target

invoice.pdf.exe
Size

291KB
MD5

06c5295adf8e75f15e92282074f3109a
SHA1

1f85e23fd58e8438c0de85829da909d7b4be3dcc
SHA256

6a9263966518a0954d30630177c32a28fa2dc297e154cc453d964034374b1009
SHA512

11de33b485b90f1092991fdb011fdfa70a225f1ae525e6af72a09ccde21897a5f8469bc530b6a9e47b6c0a2c7beeb9b47dbbb01f81de8f4b2f330d17b04af1aa

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3776	2288	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe
3776	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3776	WerFault.exe
Token: SeBackupPrivilege	3776	WerFault.exe
Token: SeDebugPrivilege	3776	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.pdf.exe"
1⤵
PID:2288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1136
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3776-0-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/3776-1-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download