913a8adeb8194c703684e6307c15de82de9e033fa42e9f2025e55ab534eb6dfc | Triage

Analysis

max time kernel
15s
max time network
111s
platform
windows10_x64
resource
win10v200722
submitted
04-10-2020 10:25

Sharing

Report Analysis Logs

General

Target

msdtc.bin.exe
Size

5.2MB
MD5

ba186e8a8abcbf0ed4fbb5fac6ba5821
SHA1

2ebac954c1941cecefa078ca2fb50f1b9281a3bd
SHA256

46da8d04de493e9858caa01cfadcd8e740be109e379985880fa05f23040f8d68
SHA512

54a14900b16226d4b95148508a54cd3decaadb593c2467e8c41e32ea1a167dd25e7b8dc5ec3021bd07a3d3f11265b9b54ce301d73ffe5e0a2ea328113b5ab158

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3864 2080 WerFault.exe msdtc.bin.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3864 WerFault.exe
Token: SeBackupPrivilege 3864 WerFault.exe
Token: SeDebugPrivilege 3864 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\msdtc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\msdtc.bin.exe"
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 504
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3864-0-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3864-1-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3864-3-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download