9b6b2038805b770162eb920f87e9ca06742f72d7b2034883c9b90d41e0c06e93 | Triage

Analysis

max time kernel
146s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 16:53

Sharing

Report Analysis Logs

General

Target

SALES_ORDER_PDF.exe
Size

822KB
MD5

0bc06640c493f1fb414325577dd4921c
SHA1

d2ad2c778cf19a9c50a2b8bec97326017153b215
SHA256

9b6b2038805b770162eb920f87e9ca06742f72d7b2034883c9b90d41e0c06e93
SHA512

e33eff8f1fe03a00f57e6c2df49180793d01684acb3e32e1cbb9b02990cd2cd00770b770cc1c0d74f2e6fe7577e77d62cd2a432fa82696946ad13fabc270eddd

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2076	3008	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2076	WerFault.exe
Token: SeBackupPrivilege	2076	WerFault.exe
Token: SeDebugPrivilege	2076	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SALES_ORDER_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\SALES_ORDER_PDF.exe"
1⤵
PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 916
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-0-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download