3235eeb992191113c5427d8d3991440e6209fc255a2219c2676197259c2dd510 | Triage

Analysis

max time kernel
145s
max time network
147s
platform
windows10_x64
resource
win10v200722
submitted
31-07-2020 10:15

Sharing

Report Analysis Logs

General

Target

Payment Pdf.exe
Size

608KB
MD5

76747e6f8ac80f5b1835a47a9342ddca
SHA1

5ff4bca1c0e52a4d3e8cb2d2955a3fea53da58bb
SHA256

3235eeb992191113c5427d8d3991440e6209fc255a2219c2676197259c2dd510
SHA512

2d42cef5660f3b131a239f1bb502f907cfb64ab3c1c89991826ca11ff04f7899a9e2b4400873b4f9be50db8c5878317e59f40182fd4f44f8a34047fea5ecd575

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Payment Pdf.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3952	Payment Pdf.exe
Token: SeRestorePrivilege	2616	WerFault.exe
Token: SeBackupPrivilege	2616	WerFault.exe
Token: SeDebugPrivilege	2616	WerFault.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Payment Pdf.exeWerFault.exe

pid	process
3952	Payment Pdf.exe
3952	Payment Pdf.exe
3952	Payment Pdf.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2616 3952 WerFault.exe Payment Pdf.exe

C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 968
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2616-0-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download