Analysis

  • max time kernel
    109s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-07-2020 17:56

General

  • Target

    PIMX19031201.ppt.csv.bat.exe

  • Size

    626KB

  • MD5

    154b9a5a3f487ddffe4ab579b4556c1f

  • SHA1

    34fa640eb96c22ce2feec3cd32d7d83b9c3cae81

  • SHA256

    442e9a77e130db7f6d9802a6a87e942e71163e9030134ac8ab4d76af114aba60

  • SHA512

    47f482eef3141edb0e7b865a40d5a9634598d84d52584a50c5887bb598199c4de8f244be131b482aa0ac49893627cdf0c757d682bde26246b157d91cc2fe0154

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PIMX19031201.ppt.csv.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\PIMX19031201.ppt.csv.bat.exe"
    1⤵
      PID:2416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 896
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:988

    Network

    • flag-unknown
      GET
      http://www.msftconnecttest.com/connecttest.txt
      WerFault.exe
      Remote address:
      13.107.4.52:80
      Request
      GET /connecttest.txt HTTP/1.1
      Connection: Keep-Alive
      Host: www.msftconnecttest.com
      Response
      HTTP/1.1 200 OK
      Cache-Control: no-store
      Content-Length: 22
      Content-Type: text/plain; charset=utf-8
      Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
      Accept-Ranges: bytes
      ETag: 0x8D343F9E96C9DAC
      Access-Control-Allow-Origin: *
      Access-Control-Expose-Headers: X-MSEdge-Ref
      Timing-Allow-Origin: *
      X-Content-Type-Options: nosniff
      X-MSEdge-Ref: Ref A: 885E3F86F12545E7A941FBF71882C88C Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
      Date: Fri, 10 Jul 2020 17:56:46 GMT
    • flag-unknown
      GET
      http://www.msftconnecttest.com/connecttest.txt
      WerFault.exe
      Remote address:
      13.107.4.52:80
      Request
      GET /connecttest.txt HTTP/1.1
      Connection: Keep-Alive
      Host: www.msftconnecttest.com
      Response
      HTTP/1.1 200 OK
      Cache-Control: no-store
      Content-Length: 22
      Content-Type: text/plain; charset=utf-8
      Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
      Accept-Ranges: bytes
      ETag: 0x8D343F9E96C9DAC
      Access-Control-Allow-Origin: *
      Access-Control-Expose-Headers: X-MSEdge-Ref
      Timing-Allow-Origin: *
      X-Content-Type-Options: nosniff
      X-MSEdge-Ref: Ref A: 74C846C2E28D43DE914716EF9D2B5612 Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
      Date: Fri, 10 Jul 2020 17:56:46 GMT
    • flag-unknown
      GET
      http://www.msftconnecttest.com/connecttest.txt
      WerFault.exe
      Remote address:
      13.107.4.52:80
      Request
      GET /connecttest.txt HTTP/1.1
      Connection: Keep-Alive
      Host: www.msftconnecttest.com
      Response
      HTTP/1.1 200 OK
      Cache-Control: no-store
      Content-Length: 22
      Content-Type: text/plain; charset=utf-8
      Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
      Accept-Ranges: bytes
      ETag: 0x8D343F9E96C9DAC
      Access-Control-Allow-Origin: *
      Access-Control-Expose-Headers: X-MSEdge-Ref
      Timing-Allow-Origin: *
      X-Content-Type-Options: nosniff
      X-MSEdge-Ref: Ref A: 83E318809E2F4C4999D2065C3C39F082 Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
      Date: Fri, 10 Jul 2020 17:56:46 GMT
    • flag-unknown
      GET
      http://www.msftconnecttest.com/connecttest.txt
      WerFault.exe
      Remote address:
      13.107.4.52:80
      Request
      GET /connecttest.txt HTTP/1.1
      Connection: Keep-Alive
      Host: www.msftconnecttest.com
      Response
      HTTP/1.1 200 OK
      Cache-Control: no-store
      Content-Length: 22
      Content-Type: text/plain; charset=utf-8
      Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
      Accept-Ranges: bytes
      ETag: 0x8D343F9E96C9DAC
      Access-Control-Allow-Origin: *
      Access-Control-Expose-Headers: X-MSEdge-Ref
      Timing-Allow-Origin: *
      X-Content-Type-Options: nosniff
      X-MSEdge-Ref: Ref A: E8DFDA3E796342C6A6C1D956AA16FA42 Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
      Date: Fri, 10 Jul 2020 17:56:46 GMT
    • 13.107.4.52:80
      http://www.msftconnecttest.com/connecttest.txt
      http
      WerFault.exe
      840 B
      2.4kB
      11
      11

      HTTP Request

      GET http://www.msftconnecttest.com/connecttest.txt

      HTTP Response

      200

      HTTP Request

      GET http://www.msftconnecttest.com/connecttest.txt

      HTTP Response

      200

      HTTP Request

      GET http://www.msftconnecttest.com/connecttest.txt

      HTTP Response

      200

      HTTP Request

      GET http://www.msftconnecttest.com/connecttest.txt

      HTTP Response

      200
    No results found

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/988-0-0x00000000046C0000-0x00000000046C1000-memory.dmp

      Filesize

      4KB

    • memory/988-1-0x0000000004C00000-0x0000000004C01000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.