1783a9996138d2b199496d53340e7a68f0f265af553a4caabaaf5fe1ada46e3c | Triage

Analysis

max time kernel
121s
max time network
119s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 12:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TT SLIP.exe
Size

621KB
MD5

9be7ccf2784692c34f0a23ee1c6cdf96
SHA1

50893829429e45ae306e74499339fb4e71356bf6
SHA256

1783a9996138d2b199496d53340e7a68f0f265af553a4caabaaf5fe1ada46e3c
SHA512

8be8a31b093a0b5063c861233c92c6b8caac37ccdb7b3198e597cceeb720edd06dd818231d46af0effc987bd0b22048b58abcf2ca95ad3df7708a5d896cc6b7e

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	TT SLIP.exe
Token: SeRestorePrivilege	3836	WerFault.exe
Token: SeBackupPrivilege	3836	WerFault.exe
Token: SeDebugPrivilege	3836	WerFault.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4060	TT SLIP.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3836	4060	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\TT SLIP.exe
"C:\Users\Admin\AppData\Local\Temp\TT SLIP.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 936
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3836-0-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3836-1-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3836-2-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download