442e9a77e130db7f6d9802a6a87e942e71163e9030134ac8ab4d76af114aba60 | Triage

Analysis

max time kernel
109s
max time network
132s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 17:56

Sharing

Report Analysis Logs

General

Target

PIMX19031201.ppt.csv.bat.exe
Size

626KB
MD5

154b9a5a3f487ddffe4ab579b4556c1f
SHA1

34fa640eb96c22ce2feec3cd32d7d83b9c3cae81
SHA256

442e9a77e130db7f6d9802a6a87e942e71163e9030134ac8ab4d76af114aba60
SHA512

47f482eef3141edb0e7b865a40d5a9634598d84d52584a50c5887bb598199c4de8f244be131b482aa0ac49893627cdf0c757d682bde26246b157d91cc2fe0154

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

988 2416 WerFault.exe PIMX19031201.ppt.csv.bat.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe
988	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 988 WerFault.exe
Token: SeBackupPrivilege 988 WerFault.exe
Token: SeDebugPrivilege 988 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PIMX19031201.ppt.csv.bat.exe
"C:\Users\Admin\AppData\Local\Temp\PIMX19031201.ppt.csv.bat.exe"
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 896
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-0-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/988-1-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download