a6e37f96da16a4f2be724e41fb5aa0ddcb75ba281b2dcf2077779592ab0ed5bb | Triage

Analysis

max time kernel
67s
max time network
89s
platform
windows10_x64
resource
win10
submitted
07-07-2020 08:27

Sharing

Report Analysis Logs

General

Target

Facturas Pagadas al Vencimiento 2.bat.exe
Size

508KB
MD5

93873ad64ae56bcd5eb73cf3f5495c39
SHA1

af6f2ea498166aae38a363c87e9af905b19ccb59
SHA256

a6e37f96da16a4f2be724e41fb5aa0ddcb75ba281b2dcf2077779592ab0ed5bb
SHA512

21253a63dc8788a841effcecb445930e811974e26e01b4bb490905cc5e8066dd2f41307b6674a94788971337d615b3e05feebbfab0b5528b117e171425416d96

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3216 3536 WerFault.exe Facturas Pagadas al Vencimiento 2.bat.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe
3216	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3216 WerFault.exe
Token: SeBackupPrivilege 3216 WerFault.exe
Token: SeDebugPrivilege 3216 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento 2.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento 2.bat.exe"
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3216-0-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3216-1-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download