36dc75aba4921481245ab67c3ad19489576b7e7ee3e7c348c62c53c088f7be3f | Triage

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10
submitted
09-07-2020 18:44

Sharing

Report Analysis Logs

General

Target

SHIPMENT.exe
Size

397KB
MD5

df32f99868ae7a3d6ae8322795f309f1
SHA1

6fab769a3c4ffb45f5c1cb2112f398af7f9b8efe
SHA256

36dc75aba4921481245ab67c3ad19489576b7e7ee3e7c348c62c53c088f7be3f
SHA512

1a6664bc1250fa0cda07b6db94de2c665caa574b8bb73c0dfd6299ff7fbdaa0a0138d80c77d33138655972e9bcdf2928984b5fb9a250f84a52553681b631a292

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3012	3180	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	SHIPMENT.exe
Token: SeRestorePrivilege	3012	WerFault.exe
Token: SeBackupPrivilege	3012	WerFault.exe
Token: SeDebugPrivilege	3012	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3180	SHIPMENT.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SHIPMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPMENT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1264
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3012-0-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download