Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 16:41
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Document BL Copy.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Shipping Document BL Copy.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
Shipping Document BL Copy.exe
-
Size
732KB
-
MD5
d47502f0f5b346169fe57cabb1228eee
-
SHA1
9ddfed11c7fd9beedc44c39ce7f1cac45783b532
-
SHA256
2d1dda31bb4e7657a3f9878a056323e398590837d3c11b45540013103bfbca97
-
SHA512
24869686cdea61de8025471bed5f5fe38ea0e5e94aec375cf52a25fc5ec28319314471576f66d5bbe66da45c252a6620cd272dc2690fbc929973a0e0b8eb284b
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1864 320 WerFault.exe Shipping Document BL Copy.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1864 WerFault.exe 1864 WerFault.exe 1864 WerFault.exe 1864 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1864 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1864 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Shipping Document BL Copy.exedescription pid process target process PID 320 wrote to memory of 1864 320 Shipping Document BL Copy.exe WerFault.exe PID 320 wrote to memory of 1864 320 Shipping Document BL Copy.exe WerFault.exe PID 320 wrote to memory of 1864 320 Shipping Document BL Copy.exe WerFault.exe PID 320 wrote to memory of 1864 320 Shipping Document BL Copy.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document BL Copy.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document BL Copy.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 6722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-55-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/320-57-0x0000000004330000-0x0000000004331000-memory.dmpFilesize
4KB
-
memory/320-58-0x0000000000610000-0x0000000000616000-memory.dmpFilesize
24KB
-
memory/320-59-0x0000000005E10000-0x0000000005EBC000-memory.dmpFilesize
688KB
-
memory/1864-60-0x0000000000000000-mapping.dmp
-
memory/1864-61-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB