a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51

Analysis

max time kernel
61s
max time network
116s
platform
windows10_x64
resource
win10
submitted
09-07-2020 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe
Size

5KB
MD5

021d86fea93d0b567f5833f74437ef85
SHA1

353d4213b2c5a82d7bfbeb2ec4d7ac928fbf74f1
SHA256

a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51
SHA512

ea6fbbe2b035fdb0663dc64bbfd793231a80ccca1ab5cd187de4167493a3347d032f33f04a230f5582035e22e2b1205b137389bdf9c979577105e6eb9a5919bc

Score

6^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3052	a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe
Token: SeDebugPrivilege	3820	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3820 3052 WerFault.exe a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe

pid	pid_target	process	target process
3820	3052	WerFault.exe	a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DiagSvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe\""	a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe

C:\Users\Admin\AppData\Local\Temp\a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe
"C:\Users\Admin\AppData\Local\Temp\a998f6728f0b6a94aed57893be633446488a36b810b9142709a3515f9f039f51.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:3052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3052 -s 952
2⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3820-0-0x000001D9D7E80000-0x000001D9D7E81000-memory.dmp

Filesize
4KB

Download
memory/3820-1-0x000001D9D8CF0000-0x000001D9D8CF1000-memory.dmp

Filesize
4KB

Download
memory/3820-2-0x000001D9D8CF0000-0x000001D9D8CF1000-memory.dmp

Filesize
4KB

Download