0c3d2c9f3d8e38323436d7f47852059f7b0cfc19fa53c86196b5376b8ebe5aff | Triage

Analysis

max time kernel
130s
max time network
105s
platform
windows10_x64
resource
win10v200430
submitted
16-07-2020 22:14

Sharing

Report Analysis Logs

General

Target

1672020Swift Copy.Scan8976.exe
Size

443KB
MD5

041f2ac19f452b2d61a76b5d83c29297
SHA1

acac069d10ae5eeb06b89c158fcaca19e8932cbb
SHA256

0c3d2c9f3d8e38323436d7f47852059f7b0cfc19fa53c86196b5376b8ebe5aff
SHA512

0cf2e313eb237eee5951776c6634d9173dd91867ece690691ca9e0b0c2caea49e1b3e97e92be6ce540fc5df445ca4fd8e75de073823175196f45336ccf852a6e

Score

3^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2892	WerFault.exe
Token: SeBackupPrivilege	2892	WerFault.exe
Token: SeDebugPrivilege	2892	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	1612	WerFault.exe	67

C:\Users\Admin\AppData\Local\Temp\1672020Swift Copy.Scan8976.exe
"C:\Users\Admin\AppData\Local\Temp\1672020Swift Copy.Scan8976.exe"
1⤵
PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 912
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2892-0-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/2892-1-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download