3b99fe9fd560fbfa948a5c5e0ab90281a0a75eed2615a7378b0bc6bd82e33a8a | Triage

Analysis

max time kernel
135s
max time network
99s
platform
windows10_x64
resource
win10v200430
submitted
30-06-2020 13:03

Sharing

Report Analysis Logs

General

Target

PZS-172.exe
Size

413KB
MD5

38beb7c3620d7fa183fef226aa284725
SHA1

92048b0233855abd8098e3c049a981adc318e1f9
SHA256

3b99fe9fd560fbfa948a5c5e0ab90281a0a75eed2615a7378b0bc6bd82e33a8a
SHA512

1ce87934f9775012352f883d4f460ac45548803782c6929adf3e5c9648d3157e4916e37611b75c1423e24cca90efc83d004692e1118311b0d617a362ae681e03

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2432 3944 WerFault.exe PZS-172.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2432 WerFault.exe
Token: SeBackupPrivilege 2432 WerFault.exe
Token: SeDebugPrivilege 2432 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PZS-172.exe
"C:\Users\Admin\AppData\Local\Temp\PZS-172.exe"
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 896
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2432-0-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download