70c1c70357b6bf9c6ae58213e4c69a6a4d04e2252f60785ca21e9dc5efe0e10f | Triage

Analysis

max time kernel
131s
max time network
107s
platform
windows10_x64
resource
win10v200430
submitted
17/07/2020, 17:25

Sharing

Report Analysis Logs

General

Target

Facturas pagadas al Ve........bat.exe
Size

908KB
MD5

408901a6193714a7eb765852cfb90179
SHA1

a692f4aefe6c8c00472cf08691d7aa427aca1a34
SHA256

70c1c70357b6bf9c6ae58213e4c69a6a4d04e2252f60785ca21e9dc5efe0e10f
SHA512

81540454140ec7f4c1f0b98743de53cb83ba61a309cf1a1c52237397f375d0c89ed802ac40b864d512637bb5918bae0583fe45e5e81ce88838617681b4fe430e

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3820	1732	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3820	WerFault.exe
Token: SeBackupPrivilege	3820	WerFault.exe
Token: SeDebugPrivilege	3820	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Facturas pagadas al Ve........bat.exe
"C:\Users\Admin\AppData\Local\Temp\Facturas pagadas al Ve........bat.exe"
1⤵
PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1160
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3820-0-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/3820-1-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download