218972a66f10ca014d9991d6033dab3be3aeb8ef64c97016fba028f79989b6dc | Triage

Analysis

max time kernel
129s
max time network
72s
platform
windows10_x64
resource
win10v200430
submitted
07-07-2020 09:45

Sharing

Report Analysis Logs

General

Target

shipng Docs.exe
Size

728KB
MD5

51610087f17b46e3775ecf619cebb1ab
SHA1

0632287ac8843d90532ddcd6dfcfa9855797ee22
SHA256

218972a66f10ca014d9991d6033dab3be3aeb8ef64c97016fba028f79989b6dc
SHA512

3c721f21efe4285ce39f3f27bf1711021f231986728b0b0d9b77a5dd1646024b8924674d97708b6be92fa58325ecc2d6eab736011f85ffdcad7782b5840106f2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 1592 WerFault.exe shipng Docs.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

shipng Docs.exeWerFault.exe

pid	process
1592	shipng Docs.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

shipng Docs.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1592	shipng Docs.exe
Token: SeRestorePrivilege	1780	WerFault.exe
Token: SeBackupPrivilege	1780	WerFault.exe
Token: SeDebugPrivilege	1780	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\shipng Docs.exe
"C:\Users\Admin\AppData\Local\Temp\shipng Docs.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-0-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1780-2-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download