441efa986321eb0bdac9d133478f98a11dea6ff3a85af1c9c145a6049cb33cb6 | Triage

Analysis

max time kernel
128s
max time network
98s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 06:34

Sharing

Report Analysis Logs

General

Target

TT_copy.exe
Size

561KB
MD5

3596dca21b1e41c2cd233d18195cea13
SHA1

7e58382e71064bd5d7ecac40b0e6a3b95d32d5cc
SHA256

441efa986321eb0bdac9d133478f98a11dea6ff3a85af1c9c145a6049cb33cb6
SHA512

f8b645a7a68ab1f491afd0483447a0731ae79bb85999f421cee46a7c5de50fd53e48a3b50936303b809edaa70a773e7431bed0731527dbcc79c2fa3e2dac7939

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2880	1484	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2880	WerFault.exe
Token: SeBackupPrivilege	2880	WerFault.exe
Token: SeDebugPrivilege	2880	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\TT_copy.exe
"C:\Users\Admin\AppData\Local\Temp\TT_copy.exe"
1⤵
PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 940
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2880-0-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download