Analysis
-
max time kernel
132s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 17:11
Static task
static1
Behavioral task
behavioral1
Sample
Documento de envio.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Documento de envio.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Documento de envio.exe
-
Size
982KB
-
MD5
0fcc784f9400be0d78104a0043ee4479
-
SHA1
65cac3bdb71487d6e14480ade6397347289e047b
-
SHA256
864b531c5f5a397b3fd2a8aa91c83f956d93300db9c986bfa7ae4744d7cb732f
-
SHA512
b32a5475f7ec76dc88201383616e712d867757de39525ac5cda21536c5144e82fb3fe4b08f5024678823e8e1ca7bd8ffea0cbbeab8845636adb6e11e1fd1c975
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 652 588 WerFault.exe mshta.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe 652 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 652 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 652 WerFault.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Documento de envio.exemshta.exedescription pid process target process PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 1100 wrote to memory of 588 1100 Documento de envio.exe mshta.exe PID 588 wrote to memory of 652 588 mshta.exe WerFault.exe PID 588 wrote to memory of 652 588 mshta.exe WerFault.exe PID 588 wrote to memory of 652 588 mshta.exe WerFault.exe PID 588 wrote to memory of 652 588 mshta.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documento de envio.exe"C:\Users\Admin\AppData\Local\Temp\Documento de envio.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\System32\mshta.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 1443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-66-0x0000000000000000-mapping.dmp
-
memory/588-70-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/588-71-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/588-72-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/588-73-0x0000000010670000-0x00000000107D0000-memory.dmpFilesize
1.4MB
-
memory/652-68-0x0000000000000000-mapping.dmp
-
memory/652-74-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/1100-60-0x00000000757D1000-0x00000000757D3000-memory.dmpFilesize
8KB
-
memory/1100-61-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1100-63-0x00000000046C0000-0x0000000004704000-memory.dmpFilesize
272KB