Analysis
-
max time kernel
117s -
max time network
60s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 10:16
Static task
static1
Behavioral task
behavioral1
Sample
shipment docu..exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
shipment docu..exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
shipment docu..exe
-
Size
22KB
-
MD5
75b7a294df955b78f7adf5882e600273
-
SHA1
df8f94ca5d228dcbda81efd0f8a0f37ff5ffa459
-
SHA256
d3c93ce13c0f0a8dd07512cb0cf5ca7474983e15e136022cd98c4ab9b6063bd4
-
SHA512
7b4c28d71348e798f3ddc7084767424754556a02a436b91e7516408b75031df32b4ba08fc60d658aeb381538c89bdf867373127ef29f6b03ec1ece56cf2e6da6
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1704 1112 WerFault.exe shipment docu..exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe 1704 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1704 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shipment docu..exeWerFault.exedescription pid process Token: SeDebugPrivilege 1112 shipment docu..exe Token: SeDebugPrivilege 1704 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
shipment docu..exedescription pid process target process PID 1112 wrote to memory of 1704 1112 shipment docu..exe WerFault.exe PID 1112 wrote to memory of 1704 1112 shipment docu..exe WerFault.exe PID 1112 wrote to memory of 1704 1112 shipment docu..exe WerFault.exe PID 1112 wrote to memory of 1704 1112 shipment docu..exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipment docu..exe"C:\Users\Admin\AppData\Local\Temp\shipment docu..exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 15402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-53-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1112-55-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1112-56-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/1704-57-0x0000000000000000-mapping.dmp
-
memory/1704-58-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB