f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/12/2022, 07:33

Target

FedEx Shipment doc.exe
Size

1023KB
MD5

18de2e338f8ebe55f152a8ba52742175
SHA1

cd5538e2c8bc84605d5b5997596bf3d37872757d
SHA256

f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644
SHA512

f554a6e43e63e53248bff7227aa348551fa04bf1067ae8806978caca598e271835672e2f555c2fe1c77fbdfd21f6cd5b5d574729cfbc18fb586925ed5736c18a
SSDEEP

12288:lBp2iN1/Sr+p1kZdu8oNVHiy84VHKmZ5cLfEg5yBqVxRH8c+9eFf+mDXttarruVI:lL1e+1k/W5ilaHkjEUKq5H80

Score

1^/10

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	FedEx Shipment doc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1696	1672	FedEx Shipment doc.exe	27
PID 1672 wrote to memory of 1696	1672	FedEx Shipment doc.exe	27
PID 1672 wrote to memory of 1696	1672	FedEx Shipment doc.exe	27
PID 1672 wrote to memory of 1696	1672	FedEx Shipment doc.exe	27
PID 1672 wrote to memory of 1620	1672	FedEx Shipment doc.exe	28
PID 1672 wrote to memory of 1620	1672	FedEx Shipment doc.exe	28
PID 1672 wrote to memory of 1620	1672	FedEx Shipment doc.exe	28
PID 1672 wrote to memory of 1620	1672	FedEx Shipment doc.exe	28
PID 1672 wrote to memory of 576	1672	FedEx Shipment doc.exe	29
PID 1672 wrote to memory of 576	1672	FedEx Shipment doc.exe	29
PID 1672 wrote to memory of 576	1672	FedEx Shipment doc.exe	29
PID 1672 wrote to memory of 576	1672	FedEx Shipment doc.exe	29
PID 1672 wrote to memory of 1500	1672	FedEx Shipment doc.exe	30
PID 1672 wrote to memory of 1500	1672	FedEx Shipment doc.exe	30
PID 1672 wrote to memory of 1500	1672	FedEx Shipment doc.exe	30
PID 1672 wrote to memory of 1500	1672	FedEx Shipment doc.exe	30
PID 1672 wrote to memory of 1100	1672	FedEx Shipment doc.exe	31
PID 1672 wrote to memory of 1100	1672	FedEx Shipment doc.exe	31
PID 1672 wrote to memory of 1100	1672	FedEx Shipment doc.exe	31
PID 1672 wrote to memory of 1100	1672	FedEx Shipment doc.exe	31

C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
  "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
  "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
  "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
  2⤵
  PID:576
- C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
  "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
  "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
  2⤵
  PID:1100

memory/1672-54-0x0000000000380000-0x0000000000486000-memory.dmp

Filesize
1.0MB

Download
memory/1672-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1672-57-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1672-58-0x0000000004AF0000-0x0000000004B60000-memory.dmp

Filesize
448KB

Download
memory/1672-59-0x00000000007A0000-0x00000000007D4000-memory.dmp

Filesize
208KB

Download