913a8adeb8194c703684e6307c15de82de9e033fa42e9f2025e55ab534eb6dfc | Triage

Analysis

max time kernel
15s
max time network
111s
platform
windows10_x64
resource
win10v200722
submitted
04/10/2020, 10:25

Sharing

Report Analysis Logs

General

Target

msdtc.bin.exe
Size

5.2MB
MD5

ba186e8a8abcbf0ed4fbb5fac6ba5821
SHA1

2ebac954c1941cecefa078ca2fb50f1b9281a3bd
SHA256

46da8d04de493e9858caa01cfadcd8e740be109e379985880fa05f23040f8d68
SHA512

54a14900b16226d4b95148508a54cd3decaadb593c2467e8c41e32ea1a167dd25e7b8dc5ec3021bd07a3d3f11265b9b54ce301d73ffe5e0a2ea328113b5ab158

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3864	2080	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3864	WerFault.exe
Token: SeBackupPrivilege	3864	WerFault.exe
Token: SeDebugPrivilege	3864	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\msdtc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\msdtc.bin.exe"
1⤵
PID:2080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 504
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3864-0-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3864-1-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3864-3-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download