70048d51529f09683d5180eb0e410297fa0332f155e213ebefc8fb750389177f | Triage

Analysis

max time kernel
146s
max time network
92s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 14:37

Sharing

Report Analysis Logs

General

Target

OOCS DI 20002876.exe
Size

1.3MB
MD5

d82419cc06e18b5cdf23f72a4b58c483
SHA1

149b6f3866d88292183f8d5af23c877e1d8fd60f
SHA256

70048d51529f09683d5180eb0e410297fa0332f155e213ebefc8fb750389177f
SHA512

b708bb5fc22bf5a93e830f99672ffa58783f0152d6bba2af94e960d68d2ba2b02813e20493b9711c23e860204d81152c2dec12ce53f6644e9f188e56454dcc9c

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	OOCS DI 20002876.exe
Token: SeRestorePrivilege	2000	WerFault.exe
Token: SeBackupPrivilege	2000	WerFault.exe
Token: SeDebugPrivilege	2000	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3544	OOCS DI 20002876.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	3544	WerFault.exe	65

C:\Users\Admin\AppData\Local\Temp\OOCS DI 20002876.exe
"C:\Users\Admin\AppData\Local\Temp\OOCS DI 20002876.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1260
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:2000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-0-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2000-3-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download