b01fa74e309cff0ee5f5a43a9a908df88a9577d5e21fe251361fa1a89addba06 | Triage

Analysis

max time kernel
65s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
14/07/2020, 14:55

Sharing

Report Analysis Logs

General

Target

DOC.exe
Size

912KB
MD5

cf458db8fe54a5ea272af51fec36de4e
SHA1

5c806224e02bc9a8c0c35c45a0a56306096939dd
SHA256

b01fa74e309cff0ee5f5a43a9a908df88a9577d5e21fe251361fa1a89addba06
SHA512

4b7a5c9c5fa15935ed3888420f82b59cb964831b423c5f7639b4198204fe5ccc9d9389b5fbcb5032ce8fefde3c5a6bb378ae4cace3cf5ba63541935168a95e02

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2300	2564	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2300	WerFault.exe
Token: SeBackupPrivilege	2300	WerFault.exe
Token: SeDebugPrivilege	2300	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DOC.exe
"C:\Users\Admin\AppData\Local\Temp\DOC.exe"
1⤵
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 904
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-0-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download