Analysis
-
max time kernel
75s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 13:51
Static task
static1
Behavioral task
behavioral1
Sample
shipng Docs.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
shipng Docs.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
shipng Docs.exe
-
Size
728KB
-
MD5
51610087f17b46e3775ecf619cebb1ab
-
SHA1
0632287ac8843d90532ddcd6dfcfa9855797ee22
-
SHA256
218972a66f10ca014d9991d6033dab3be3aeb8ef64c97016fba028f79989b6dc
-
SHA512
3c721f21efe4285ce39f3f27bf1711021f231986728b0b0d9b77a5dd1646024b8924674d97708b6be92fa58325ecc2d6eab736011f85ffdcad7782b5840106f2
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3016 2960 WerFault.exe shipng Docs.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
shipng Docs.exeWerFault.exepid process 2960 shipng Docs.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe 3016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipng Docs.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2960 shipng Docs.exe Token: SeRestorePrivilege 3016 WerFault.exe Token: SeBackupPrivilege 3016 WerFault.exe Token: SeDebugPrivilege 3016 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipng Docs.exe"C:\Users\Admin\AppData\Local\Temp\shipng Docs.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 9402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016