0c39b4af77c7279bf8a36e9e337f0ca1af96ca31c1fda5599c5dc8183118e54c | Triage

Analysis

max time kernel
122s
max time network
117s
platform
windows10_x64
resource
win10
submitted
17/07/2020, 17:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DOC.exe
Size

766KB
MD5

c7685d6c04940a9a9bdce7645ad5121d
SHA1

352ad790c8582959f43c453d4918f02a0333afdc
SHA256

0c39b4af77c7279bf8a36e9e337f0ca1af96ca31c1fda5599c5dc8183118e54c
SHA512

71ddb906085282566d41c2527a721013349e4c7df6cfd676584c03702c789d9313dcb1363679af78ce57123129491bb657c9c60c34cda262fe0ff4d05140ea61

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4000	344	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe
4000	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4000	WerFault.exe
Token: SeBackupPrivilege	4000	WerFault.exe
Token: SeDebugPrivilege	4000	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DOC.exe
"C:\Users\Admin\AppData\Local\Temp\DOC.exe"
1⤵
PID:344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 908
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4000-0-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/4000-1-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download