6c10ad5e7c9768684b4c869b3d6d974e07245af487170866b38bb2a5f4a756c6 | Triage

Analysis

max time kernel
136s
max time network
107s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 18:39

Sharing

Report Analysis Logs

General

Target

JQ2341024749.pdf.exe
Size

545KB
MD5

32e8a4dfef3ba9272759b8cc19e0428b
SHA1

6c2fa10d8f4f68c8cc440e31b1625acf783973ce
SHA256

6c10ad5e7c9768684b4c869b3d6d974e07245af487170866b38bb2a5f4a756c6
SHA512

4f20df5f058e1987e0cc81c6724c215e8af4a2a67c47a2e4e21691ea2b0f992cfa401d5e3aba1cad0d89ee91788780223330ee0120b7e4798a3c69c7abae3e52

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2804	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2748	WerFault.exe
Token: SeBackupPrivilege	2748	WerFault.exe
Token: SeDebugPrivilege	2748	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\JQ2341024749.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\JQ2341024749.pdf.exe"
1⤵
PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 912
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2748-0-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2748-3-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download