334fcafceb7ca23de3e995d89957290ca49594c51b01929309213be32072d90c | Triage

Analysis

max time kernel
147s
max time network
104s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 10:02

Sharing

Report Analysis Logs

General

Target

Sinergy Group Order_pdf.exe
Size

545KB
MD5

777efaa4b0dd9ae0a34b5e2fd7626ddb
SHA1

5c0574bf273b4e1d1d39f70993562b347835df85
SHA256

334fcafceb7ca23de3e995d89957290ca49594c51b01929309213be32072d90c
SHA512

794a27d6e80cf5dd2d0ca3129f1ee503daa92d41067f6fbc9acf7eec8c70f09532431ecf68845dd821b080bee32e3dab366013f51300f3e4b96a4974da5703e1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	3692	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2524	WerFault.exe
Token: SeBackupPrivilege	2524	WerFault.exe
Token: SeDebugPrivilege	2524	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Sinergy Group Order_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Sinergy Group Order_pdf.exe"
1⤵
PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 916
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2524-0-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download