bc02ccc2308126e2b656f8ab033d7c0e188873aa42eb103e8cdf631ae6e36449 | Triage

Analysis

max time kernel
129s
max time network
102s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 17:41

Sharing

Report Analysis Logs

General

Target

Original Shipping documents.exe
Size

643KB
MD5

0d7eb830d496b29d26fdff1c5223d379
SHA1

7c6dcd3904a4c5e964b3617b78027e6f5b9996e1
SHA256

bc02ccc2308126e2b656f8ab033d7c0e188873aa42eb103e8cdf631ae6e36449
SHA512

1cc6668f5c36cfc386bc7f74dc2e56a8f579daf8df21a3cd3e7178218afd5df8d90de2a0629878e4fde27d03ffe6fc27662736faf00f1bcf78727494a87093ba

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2980 1612 WerFault.exe Original Shipping documents.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2980 WerFault.exe
Token: SeBackupPrivilege 2980 WerFault.exe
Token: SeDebugPrivilege 2980 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Original Shipping documents.exe
"C:\Users\Admin\AppData\Local\Temp\Original Shipping documents.exe"
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 900
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2980-0-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2980-2-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download