e65f3e7d58650711f81d06e50e53ced4b636f08df0eed8019d7927e17fec9580

Analysis

max time kernel
85s
max time network
146s
platform
windows10_x64
resource
win10
submitted
09-07-2020 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO# 7431.scr
Size

1.9MB
MD5

8341d551a5b1665cbb0f65780530b20c
SHA1

2fb6aa095ff9406b65f49e94303c925cf8d44fc3
SHA256

e65f3e7d58650711f81d06e50e53ced4b636f08df0eed8019d7927e17fec9580
SHA512

5c984f07ac00f816a2804fb201ccf956c7ee8645f255a01cbce0d7049bd6658c6d379df53be5c6d4a3775b543304dda6268de5ac717ce9a42cce524bf3545e47

Score

6^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 496 WerFault.exe
Token: SeBackupPrivilege 496 WerFault.exe
Token: SeDebugPrivilege 496 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	496	WerFault.exe
Token: SeBackupPrivilege	496	WerFault.exe
Token: SeDebugPrivilege	496	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe
496	WerFault.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO# 7431.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YZESe = "C:\\GOHCSFBB\\YZESek\\YZESekoeC.vbs"	PO# 7431.scr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

496 3676 WerFault.exe PO# 7431.scr

pid	pid_target	process	target process
496	3676	WerFault.exe	PO# 7431.scr

C:\Users\Admin\AppData\Local\Temp\PO# 7431.scr
"C:\Users\Admin\AppData\Local\Temp\PO# 7431.scr" /S
1⤵
- Adds Run entry to start application
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 8244
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-0-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/496-1-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/496-3-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download