Analysis
-
max time kernel
147s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
New FedEx paper work review.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
New FedEx paper work review.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
New FedEx paper work review.exe
-
Size
792KB
-
MD5
c359c954a7d104b0a1bde867f86e73a5
-
SHA1
e647c8aa88a7209463b0dd0daa733759a529806d
-
SHA256
306602e7317841b219d25b24ca14f9e50987fe9c9e48b3728bb548dea4557f9d
-
SHA512
8f48d07be0342db4a946b5c74598eb5dbe565bbf0c7ed2a5f6b5ab7b99577f0e8463004f601d0286bcaebf5a673e18e83d9b8f319e5566f28b59e2ebc3a18644
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
New FedEx paper work review.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts New FedEx paper work review.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New FedEx paper work review.exedescription pid process target process PID 1676 set thread context of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New FedEx paper work review.exepid process 1624 New FedEx paper work review.exe 1624 New FedEx paper work review.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New FedEx paper work review.exedescription pid process Token: SeDebugPrivilege 1624 New FedEx paper work review.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
New FedEx paper work review.exedescription pid process target process PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe PID 1676 wrote to memory of 1624 1676 New FedEx paper work review.exe New FedEx paper work review.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New FedEx paper work review.exe"C:\Users\Admin\AppData\Local\Temp\New FedEx paper work review.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\New FedEx paper work review.exe"C:\Users\Admin\AppData\Local\Temp\New FedEx paper work review.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1624-7-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-8-0x000000000043772E-mapping.dmp
-
memory/1624-9-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-10-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-11-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/1676-2-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/1676-3-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/1676-5-0x00000000001F0000-0x0000000000202000-memory.dmpFilesize
72KB
-
memory/1676-6-0x0000000005430000-0x00000000054A5000-memory.dmpFilesize
468KB