Analysis
-
max time kernel
109s -
max time network
132s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 17:56
Static task
static1
Behavioral task
behavioral1
Sample
PIMX19031201.ppt.csv.bat.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PIMX19031201.ppt.csv.bat.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PIMX19031201.ppt.csv.bat.exe
-
Size
626KB
-
MD5
154b9a5a3f487ddffe4ab579b4556c1f
-
SHA1
34fa640eb96c22ce2feec3cd32d7d83b9c3cae81
-
SHA256
442e9a77e130db7f6d9802a6a87e942e71163e9030134ac8ab4d76af114aba60
-
SHA512
47f482eef3141edb0e7b865a40d5a9634598d84d52584a50c5887bb598199c4de8f244be131b482aa0ac49893627cdf0c757d682bde26246b157d91cc2fe0154
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 988 2416 WerFault.exe 67 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 988 WerFault.exe Token: SeBackupPrivilege 988 WerFault.exe Token: SeDebugPrivilege 988 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PIMX19031201.ppt.csv.bat.exe"C:\Users\Admin\AppData\Local\Temp\PIMX19031201.ppt.csv.bat.exe"1⤵PID:2416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 8962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
Network
-
Remote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: 885E3F86F12545E7A941FBF71882C88C Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
Date: Fri, 10 Jul 2020 17:56:46 GMT
-
Remote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: 74C846C2E28D43DE914716EF9D2B5612 Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
Date: Fri, 10 Jul 2020 17:56:46 GMT
-
Remote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: 83E318809E2F4C4999D2065C3C39F082 Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
Date: Fri, 10 Jul 2020 17:56:46 GMT
-
Remote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Thu, 02 Jul 2020 02:53:41 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: E8DFDA3E796342C6A6C1D956AA16FA42 Ref B: AMSEDGE1119 Ref C: 2020-07-10T17:56:47Z
Date: Fri, 10 Jul 2020 17:56:46 GMT
-
840 B 2.4kB 11 11
HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200
No results found