4f7d098eae6da6be33eac760b42706400f38c821e26fa688a01a9a9fcbc3063c | Triage

Analysis

max time kernel
68s
max time network
118s
platform
windows10_x64
resource
win10
submitted
09-07-2020 07:49

Sharing

Report Analysis Logs

General

Target

shipmt. docs.exe
Size

673KB
MD5

082a5aabb74c2af499c403dc666e160b
SHA1

3db0f86f3482308fe7aa28849367c87bb0fbab05
SHA256

4f7d098eae6da6be33eac760b42706400f38c821e26fa688a01a9a9fcbc3063c
SHA512

f047ec5778f55735e43b9b2d11a06bae2aa28611df580a84ded75f306d8b58718775f8ecec235cd450c2e4a39a86214864e57290ac887e3fc3f3f7144b200dd1

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3952 3868 WerFault.exe shipmt. docs.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

shipmt. docs.exeWerFault.exe

pid	process
3868	shipmt. docs.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

shipmt. docs.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3868	shipmt. docs.exe
Token: SeRestorePrivilege	3952	WerFault.exe
Token: SeBackupPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	3952	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\shipmt. docs.exe
"C:\Users\Admin\AppData\Local\Temp\shipmt. docs.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1128
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3952-0-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/3952-1-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download