20e1f222ebae73bc71db60552d3733124fc5a2ce835ca2dde406c34217e6a061 | Triage

Analysis

max time kernel
118s
max time network
123s
platform
windows10_x64
resource
win10
submitted
31-07-2020 13:45

Sharing

Report Analysis Logs

General

Target

PAYMENT ADVICE.pdf.exe
Size

394KB
MD5

1275d29213c2580894371739beb16148
SHA1

5591bfdbad8f70d177b2889f0242d858fafc7750
SHA256

20e1f222ebae73bc71db60552d3733124fc5a2ce835ca2dde406c34217e6a061
SHA512

341ca5b3cc511f01abbc671d973c83e3673ad1dd605b70771182b0c894d1979fb73259fec99e95d24205be87e1fb0ecd77bf1d3b9cfacd378ff794fe69c39280

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3892 3104 WerFault.exe PAYMENT ADVICE.pdf.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3892 WerFault.exe
Token: SeBackupPrivilege 3892 WerFault.exe
Token: SeDebugPrivilege 3892 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe
3892	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.pdf.exe"
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1172
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-0-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/3892-1-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/3892-3-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download