Analysis
-
max time kernel
134s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-02-2022 08:04
Static task
static1
Behavioral task
behavioral1
Sample
TNT Shipping Documents PDF.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
TNT Shipping Documents PDF.exe
-
Size
47KB
-
MD5
7d50ca70bff094575182ed4a262bdfe0
-
SHA1
3be7106531cc7a8685b09abe19420991b20f2095
-
SHA256
a59584b56e441105efa83722c78737df246a0ed1e76d2b1c3c20e7c1581d9cae
-
SHA512
014c99b4918c99677780205ce78f538ca2a671b1e0ba7b6245c2a974e459c9ee127893cfaaaefcf442fc04e69e50ace4e03ce164c7eadf45f61cd3bbef865b8f
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 836 1160 WerFault.exe TNT Shipping Documents PDF.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 836 WerFault.exe 836 WerFault.exe 836 WerFault.exe 836 WerFault.exe 836 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 836 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TNT Shipping Documents PDF.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1160 TNT Shipping Documents PDF.exe Token: SeDebugPrivilege 836 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
TNT Shipping Documents PDF.exedescription pid process target process PID 1160 wrote to memory of 836 1160 TNT Shipping Documents PDF.exe WerFault.exe PID 1160 wrote to memory of 836 1160 TNT Shipping Documents PDF.exe WerFault.exe PID 1160 wrote to memory of 836 1160 TNT Shipping Documents PDF.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Shipping Documents PDF.exe"C:\Users\Admin\AppData\Local\Temp\TNT Shipping Documents PDF.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1160 -s 11162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:836
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-56-0x000007FEFC321000-0x000007FEFC323000-memory.dmpFilesize
8KB
-
memory/836-59-0x0000000001C60000-0x0000000001C61000-memory.dmpFilesize
4KB
-
memory/1160-54-0x0000000000D60000-0x0000000000D72000-memory.dmpFilesize
72KB
-
memory/1160-55-0x000000001B3F0000-0x000000001B3F2000-memory.dmpFilesize
8KB