6284dcf3ae02ff5c558baf2a35f9fceee1aed4fe200f333ca65a61a41cb96d69 | Triage

Analysis

max time kernel
147s
max time network
98s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 15:39

Sharing

Report Analysis Logs

General

Target

SOA.exe
Size

665KB
MD5

3471a22050a74abfebd537ad8dfa7e9e
SHA1

0afbbb067a4fce6f3d3cbd379c08bef4bdf89cd2
SHA256

6284dcf3ae02ff5c558baf2a35f9fceee1aed4fe200f333ca65a61a41cb96d69
SHA512

7ca7fefcace59c3ff8c65f4ce8285aec2d8804cfd2859a31dba113f97e2eeefb90374d69183ef373a5b57f2f7de25665a78e34b11f91328a696f95b082c4876f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2484	3768	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2484	WerFault.exe
Token: SeBackupPrivilege	2484	WerFault.exe
Token: SeDebugPrivilege	2484	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 900
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-0-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2484-1-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download