cf4cf0f064bbd1115fdee0971c7ffc9a474984eeda8107040589b425ae1a6605 | Triage

Analysis

max time kernel
128s
max time network
131s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:26

Sharing

Report Analysis Logs

General

Target

P0#1307020 P2.bat.exe
Size

341KB
MD5

735f03674a0a65c14088e18657694fe9
SHA1

6e2d3a2e7bb0220054c8fc2ea8272f6d9babd0bb
SHA256

cf4cf0f064bbd1115fdee0971c7ffc9a474984eeda8107040589b425ae1a6605
SHA512

1a74849aab621c866076a5660e16fbcc569085701858cba054d9ad67f2ac3696c9dc75da9f3564f5e71cc19c4c53c3a8b6993c937ee6f063c19bb84668f4e699

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3912 3676 WerFault.exe P0#1307020 P2.bat.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3912 WerFault.exe
Token: SeBackupPrivilege 3912 WerFault.exe
Token: SeDebugPrivilege 3912 WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\P0#1307020 P2.bat.exe
"C:\Users\Admin\AppData\Local\Temp\P0#1307020 P2.bat.exe"
1⤵
PID:3676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1140
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3912-0-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/3912-1-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download