a56855064cde16356d60565bc667ae8450e8604f66b6c30dfe94c97703e36a96 | Triage

Analysis

max time kernel
138s
max time network
106s
platform
windows10_x64
resource
win10v200430
submitted
15-07-2020 07:47

Sharing

Report Analysis Logs

General

Target

RFQ.pdf.exe
Size

1.1MB
MD5

40ebf8bb674b984b2485616e70581f47
SHA1

9459e7e5c22744f79477aa0aeea03d628bfb9cc3
SHA256

a56855064cde16356d60565bc667ae8450e8604f66b6c30dfe94c97703e36a96
SHA512

f0a88a5ef1de7bdb76bcf92699e1c6e484adbd4e4642ce705cb5f923feaa3965f5d4be7f52c7a9cec219a4ebe27eb83f62882ebcf066d2cd7ac28c55654a989f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	3576	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2672	WerFault.exe
Token: SeBackupPrivilege	2672	WerFault.exe
Token: SeDebugPrivilege	2672	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.pdf.exe"
1⤵
PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 936
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2672-0-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/2672-1-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/2672-3-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/2672-4-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download