29a9f4931a1f5b2dd373fa79404361e2f4a3de65967d39277af19c3f58367974

Analysis

max time kernel
123s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 10:14

Target

shipping document.exe
Size

294KB
MD5

918a4ca19ee19b6df3277720e811d770
SHA1

67568af7b39312424d131ae5fe3988274cdbb55e
SHA256

4578e6280f2c8e0925d94f8f89b44e204b66258eb9e842795b35b0db93d8e084
SHA512

2bedc724319ee365b0884476d3da5594d6606e72bcbfb673a6983f7ccded77a6630d7b0dec5e87c4317cbacd2dff1948058e278fc3212506852277443b2f5032
SSDEEP

3072:MEbEC0GHLMAR18POIyFABgNN3XRQSY9KAQl6qx:MEvbLMAj8P6RB2KAQlh

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	3256	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	shipping document.exe

C:\Users\Admin\AppData\Local\Temp\shipping document.exe
"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 1932
  2⤵
  - Program crash
  PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3256 -ip 3256
1⤵
PID:4284

memory/3256-0-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/3256-1-0x0000000000150000-0x00000000001A0000-memory.dmp

Filesize
320KB

Download
memory/3256-2-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3256-3-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/3256-4-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download