ddfd130058c6bf798f81c7943725ec4e0c8de1df5aeb204426d2294cb1371a36 | Triage

Analysis

max time kernel
63s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/12/2022, 06:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Parcel [email protected]
Size

141KB
MD5

a5db6adb574552a24d3b886762f4dbf3
SHA1

caf958dad191f647eb6d4ef885cf4da92e11969e
SHA256

f58a5c7c34a09860c8aaf590ce7cd9de51267edf6b3153f575a7caf6d8832364
SHA512

bf1bc5bf939e9e792720fe8b2fabc9adacb75c49d80b6cdb5dc7a44a50043a7304ac44b19c7f227dae2ee8c6d02cb3a431841c816c03678a1462533a69f0953c
SSDEEP

1536:yo5pvN49Hq+qqqXlllllllll6vURCmo3NGqPqOxrFt1WbKQrxqkqfbL:fpav33lRB6ybL

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1060	1208	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	Parcel [email protected]

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1060	1208	Parcel [email protected]	27
PID 1208 wrote to memory of 1060	1208	Parcel [email protected]	27
PID 1208 wrote to memory of 1060	1208	Parcel [email protected]	27
PID 1208 wrote to memory of 1060	1208	Parcel [email protected]	27

C:\Users\Admin\AppData\Local\Temp\Parcel [email protected]
"C:\Users\Admin\AppData\Local\Temp\Parcel [email protected]"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1100
  2⤵
  - Program crash
  PID:1060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-54-0x00000000011D0000-0x00000000011F8000-memory.dmp

Filesize
160KB

Download
memory/1208-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download