6c34622d44f5902532e5a5d62413bf96700fad63b9ceb5fe64f64e1e53c0e889 | Triage

Analysis

max time kernel
137s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
15-07-2020 20:01

Sharing

Report Analysis Logs

General

Target

CV-JOB REQUEST______pdf.exe
Size

479KB
MD5

e98155dd2787910e9e037226aaae3842
SHA1

f3d48807a19e5e7e59bb1ba0025f05d8eafcfdfe
SHA256

6c34622d44f5902532e5a5d62413bf96700fad63b9ceb5fe64f64e1e53c0e889
SHA512

8b263c9953adc73421805e2e7edb82f3477988d5a95ed44c1254fcf9aaede1cd1d107e63d977e9e87f29307875012b4cc5c66bc1ab051dabfd477e1c315ff582

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	640	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2820	WerFault.exe
Token: SeBackupPrivilege	2820	WerFault.exe
Token: SeDebugPrivilege	2820	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\CV-JOB REQUEST______pdf.exe
"C:\Users\Admin\AppData\Local\Temp\CV-JOB REQUEST______pdf.exe"
1⤵
PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 920
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-0-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2820-1-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download