ffe650f45fc31541f4c992f2d0e9e3a36dd8714fc7ed2625427d1edd8f349eb1 | Triage

Resubmissions

17/06/2020, 02:42

200617-kwf1tfwmts 3

17/06/2020, 02:36

200617-rshx9azv7n 1

17/06/2020, 02:33

200617-n6mrs3216x 3

Analysis

max time kernel
63s
max time network
67s
platform
windows10_x64
resource
win10v200430
submitted
17/06/2020, 02:33

Sharing

Report Analysis Logs

General

Target

Ransomware.exe
Size

211KB
MD5

6ceb9e638766001d7e7f803d71b4fed5
SHA1

44fb668cadeb0308bea74d4bcdaeb7a06b00cd9e
SHA256

ffe650f45fc31541f4c992f2d0e9e3a36dd8714fc7ed2625427d1edd8f349eb1
SHA512

d8109dc86357c2cdfbe122cd529871e3c7d2b9ee0d04100c5d2231dbbc7efa3af594a53ca3202571d24b8ca8d4c724d8b05bcd52effd2248bb28d9f83e993d4b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
420	2564	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	420	WerFault.exe
Token: SeBackupPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	420	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"
1⤵
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1120
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-0-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/420-1-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download