Analysis
-
max time kernel
129s -
max time network
72s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 09:45
Static task
static1
Behavioral task
behavioral1
Sample
shipng Docs.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
shipng Docs.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
shipng Docs.exe
-
Size
728KB
-
MD5
51610087f17b46e3775ecf619cebb1ab
-
SHA1
0632287ac8843d90532ddcd6dfcfa9855797ee22
-
SHA256
218972a66f10ca014d9991d6033dab3be3aeb8ef64c97016fba028f79989b6dc
-
SHA512
3c721f21efe4285ce39f3f27bf1711021f231986728b0b0d9b77a5dd1646024b8924674d97708b6be92fa58325ecc2d6eab736011f85ffdcad7782b5840106f2
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1780 1592 WerFault.exe shipng Docs.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
shipng Docs.exeWerFault.exepid process 1592 shipng Docs.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipng Docs.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1592 shipng Docs.exe Token: SeRestorePrivilege 1780 WerFault.exe Token: SeBackupPrivilege 1780 WerFault.exe Token: SeDebugPrivilege 1780 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipng Docs.exe"C:\Users\Admin\AppData\Local\Temp\shipng Docs.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 9362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780