Analysis
-
max time kernel
151s -
max time network
109s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 10:18
Static task
static1
Behavioral task
behavioral1
Sample
Original Shipping Documents.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Original Shipping Documents.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
Original Shipping Documents.exe
-
Size
787KB
-
MD5
24d470040d22bbff52a8388c96ede9c4
-
SHA1
a58d9c3007c2316676f0ca1c43eb1da94a8d0aff
-
SHA256
d1acb47d2f3d3f08def6a48de5ee5cd09cae41a8c0ad42553e83c3c36a98bba0
-
SHA512
d1aacfc74db02e9c382766287531b00846c8c5c965f156a3df711ddfd94bd00c17ff5f315aad959f4ff04c98fc91d31f482d5be10eaf5ca1099433c5af86f860
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3780 4028 WerFault.exe Original Shipping Documents.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Original Shipping Documents.exeWerFault.exepid process 4028 Original Shipping Documents.exe 4028 Original Shipping Documents.exe 4028 Original Shipping Documents.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Original Shipping Documents.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4028 Original Shipping Documents.exe Token: SeRestorePrivilege 3780 WerFault.exe Token: SeBackupPrivilege 3780 WerFault.exe Token: SeDebugPrivilege 3780 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Original Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Original Shipping Documents.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 9682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken