391272018c37c88ce5c0921a9881695fbae09611ce443f12db516963012da380 | Triage

Analysis

max time kernel
137s
max time network
101s
platform
windows10_x64
resource
win10v200430
submitted
11-07-2020 06:00

Sharing

Report Analysis Logs

General

Target

shipping document.exe
Size

491KB
MD5

234b06c483e9c1677556b38cd0550dee
SHA1

b9d5edaa27a892f835141fc64e48dc767e62eefa
SHA256

391272018c37c88ce5c0921a9881695fbae09611ce443f12db516963012da380
SHA512

d5058790b660d7592c2f009ca7bcf86d290ea1852e773bceaeae8c3f82ac186ead94b9cb980a0674498d012aa95623982a539961983a463756d4185807433283

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3932 992 WerFault.exe shipping document.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe
3932	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3932 WerFault.exe
Token: SeBackupPrivilege 3932 WerFault.exe
Token: SeDebugPrivilege 3932 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\shipping document.exe
"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 928
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3932-0-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/3932-1-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download