Loading ...

Play interactive tourEdit tour

Analysis Report CUSTOM SHIPING DOCS.exe

Overview

General Information

Sample Name:CUSTOM SHIPING DOCS.exe
Analysis ID:326327
MD5:5533ec4c49c29a1225d1b01d38933bd4
SHA1:f3aa3401d15d44d65177ba02244c189ee1e822fb
SHA256:ed8bdc7dfb03c556a144b552517f725297acac5c046313b9f8a96432d94cdf5c
Tags:exe

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Machine Learning detection for sample
PE file has a writeable .text section
Checks if the current process is being debugged
Creates a DirectInput object (often for capturing keystrokes)
Enables debug privileges
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Stores large binary data to the registry
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • CUSTOM SHIPING DOCS.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe' MD5: 5533EC4C49C29A1225D1B01D38933BD4)
    • WerFault.exe (PID: 7144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 212 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: CUSTOM SHIPING DOCS.exeJoe Sandbox ML: detected
Source: WerFault.exe, 00000003.00000003.354582319.000000000331C000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
Source: CUSTOM SHIPING DOCS.exe, 00000000.00000002.356907842.000000000016A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 212
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CUSTOM SHIPING DOCS.exeStatic PE information: No import functions for PE file found
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: classification engineClassification label: mal48.winEXE@2/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CA6.tmpJump to behavior
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe 'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 212
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: CUSTOM SHIPING DOCS.exeStatic file information: File size 1651712 > 1048576
Source: CUSTOM SHIPING DOCS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13fa00
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.341920539.0000000003326000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.342002495.000000000332C000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.342002495.000000000332C000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.341920539.0000000003326000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.341916611.0000000003320000.00000004.00000001.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.341860173.000000000333A000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.343258907.00000000052E1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.343258907.00000000052E1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.341916611.0000000003320000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000003.00000002.355594663.000000000335A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000003.350669940.000000000335A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Modify Registry1Input Capture1Security Software Discovery21Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CUSTOM SHIPING DOCS.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.microWerFault.exe, 00000003.00000003.354582319.000000000331C000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:326327
Start date:03.12.2020
Start time:09:54:14
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CUSTOM SHIPING DOCS.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@2/4@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 51.104.139.180, 40.88.32.150, 52.155.217.156, 104.42.151.234, 20.54.26.129, 2.20.142.210, 2.20.142.209, 51.103.5.186, 13.88.21.125, 92.122.213.194, 92.122.213.247, 92.122.144.200, 51.11.168.160, 13.64.90.137
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net

Simulations

Behavior and APIs

TimeTypeDescription
09:55:16API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_CUSTOM SHIPING D_ab7019a57941d055ca75d96ef7ee3b39da4f9ae0_41b924a0_1baf32de\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):7922
Entropy (8bit):3.7850467920526656
Encrypted:false
SSDEEP:192:Y2PjYzDVjGAbHBUZMX1gVjh/u7sBS274ItMVL+j:ljcZ1BUZMXgjh/u7sBX4ItQ+j
MD5:80F8C7E08B081D1EB261F293F1C1429A
SHA1:634CC4C2E2D995A4B64DC481725CB212D94ADFB7
SHA-256:D12CAC24876282210541DFB9A14343B62B4E2D8A05D3EFC23A524905040F49CA
SHA-512:E8D4F4C326AAD187A9D8BE0C34CFD3AAF306EFCF13F6BD15C9F1B40D799A6DA4F39892C8100503065A1119D0570DBE37B6023A5E70DB52CAEA70CA25F242DCFD
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.1.4.9.1.7.1.0.7.3.5.4.0.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.1.4.9.1.7.1.3.9.3.8.5.1.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.b.4.a.9.f.c.-.b.d.4.1.-.4.d.0.7.-.a.e.5.5.-.f.d.f.5.d.5.8.9.f.d.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.3.6.1.2.3.9.-.a.4.c.0.-.4.9.6.6.-.b.9.1.3.-.f.5.5.4.a.d.7.c.0.8.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.U.S.T.O.M. .S.H.I.P.I.N.G. .D.O.C.S...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.0.-.0.0.0.1.-.0.0.1.7.-.3.f.9.b.-.a.0.6.f.9.d.c.9.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.3.2.4.a.e.7.c.4.7.7.6.a.8.e.7.9.6.c.3.8.d.a.6.3.f.4.0.4.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.f.3.a.a.3.4.0.1.d.1.5.d.4.4.d.6.5.1.7.7.b.a.0.2.2.4.4.c.1.8.9.e.e.1.e.8.2.2.f.b.!.C.U.S.T.O.M. .S.H.I.P.I.N.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CA6.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Dec 3 17:55:11 2020, 0x1205a4 type
Category:dropped
Size (bytes):18274
Entropy (8bit):2.1723860993650024
Encrypted:false
SSDEEP:96:5Ri8Q/vE1cC0JuXM1GE8pfocfnmX7P7vQXiTVVpE0iWlfpWInWIX4I4EhNHPA:e3C0JiM+gXvvQXuV80iW8EhNHPA
MD5:86F8BE2D4ED6E1617E5E41BDFFECE433
SHA1:66E2784B66A1D117EECD395A64B9217FF8BEDBB7
SHA-256:B2B2406D84BAC2117FA8A1DC2A1FD3AB588B25CD15BB421C901A2CA9928C0B39
SHA-512:53EE36D6BF3E5696AB186340185017444923D61671904F1A738FFBBE643FFE58E3C4E5022BD0306C24A65AB8295B8E5072A64AF89AB54F7C2FB6A136765C77AB
Malicious:false
Reputation:low
Preview: MDMP....... ........&._...................U...........B..............GenuineIntelW...........T...........{&._.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E2E.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8340
Entropy (8bit):3.706754522402832
Encrypted:false
SSDEEP:192:Rrl7r3GLNiEoy636YJ2SUbisoCgmfHMISqCprg89bMxsfbkm:RrlsNi8636YISUbiJCgmfLSfMqfd
MD5:F426F0F23C6E2383D6F59433A2B9346B
SHA1:3548DB9EB7050B33F825B4AAF3156730389CDB9A
SHA-256:A3984A99D4A9928EFE2021C2303EE78AC9B03075BC9B1F8254F2CE8472D359BC
SHA-512:C98530CBDFCCD046C936592206AE067FB4FAEDB7105517FE7D3E0A9B30007F64F89525521EA25220426144060BE12DF2C9FA4DB70BACDC109E54B0F336C56111
Malicious:false
Reputation:low
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.2.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2090.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4630
Entropy (8bit):4.535775844018153
Encrypted:false
SSDEEP:48:cvIwSD8zsYJgtWI9GgWSC8BS8fm8M4Jgkqk5/kkFE+q8rkDk4kb8oYNktvkktld:uITfeFZSNRJg5IkwGcb8HSvkSld
MD5:30D2C6E6A357339ADE606501DF5EAE11
SHA1:8681B85C084E6A99E7861AB02AF5E0F0E68672BA
SHA-256:26E16D76377B0BA36138F495D3BB8773B4D51FD5B7A6EA18E56E5F5A4F3827F6
SHA-512:2DBDD5DF481B60A3FD86C7D4B3E223025EEEE7EB5BE38732CB1EE38E6AF9664CCD39DC56BA7D56CE38B920507D8B4B6A5D974E859AC2A8A292FE14D01F88AB6A
Malicious:false
Reputation:low
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="756185" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.364732034538418
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • VXD Driver (31/22) 0.00%
File name:CUSTOM SHIPING DOCS.exe
File size:1651712
MD5:5533ec4c49c29a1225d1b01d38933bd4
SHA1:f3aa3401d15d44d65177ba02244c189ee1e822fb
SHA256:ed8bdc7dfb03c556a144b552517f725297acac5c046313b9f8a96432d94cdf5c
SHA512:0e25a152469a943eb9edc37a753dad54ffec54d434f2ba3d6e4d2a1a65469026ad7ad1868646bd02126488b4b37cbc9ec3b307c768d3224d3d5b9fcdc6cab39c
SSDEEP:12288:+MwYi7KvtGdcPXZig1LgO5adyneWQ8MCUIFiyS0ry90JrgV9V8+7c:+MR/vtGd6XogRgqlneWMzIJry9mrghc
File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.._...............G.2...H...........`........@..........................`.............................................

File Icon

Icon Hash:0f4d494919151b03

Static PE Info

General

Entrypoint:0x540800
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x5FC88D7C [Thu Dec 3 07:02:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:1
OS Version Minor:0
File Version Major:1
File Version Minor:0
Subsystem Version Major:1
Subsystem Version Minor:0
Import Hash:

Entrypoint Preview

Instruction
call 00007FBD74F859A5h
pop edx
sub edx, 06h
push edx
xchg ebx, ebx
xchg ecx, ecx
and ecx, ecx
nop
xchg ecx, ecx
xchg ebx, ebx
mov ebx, dword ptr fs:[00000030h]
or ecx, ecx
xchg ecx, ecx
xchg ecx, ecx
mov ebx, dword ptr [ebx+0Ch]
xchg ebx, ebx
mov ebx, dword ptr [ebx+0Ch]
mov ebx, dword ptr [ebx]
xchg ecx, ecx
xchg ebx, ebx
xchg ecx, ecx
and edx, FFFFFFFFh
mov ebx, dword ptr [ebx]
and ecx, FFFFFFFFh
and eax, eax
mov eax, dword ptr [ebx+18h]
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [eax+3Ch]
add eax, dword ptr [ebp-04h]
xchg ebx, ebx
xchg ebx, ebx
mov eax, dword ptr [eax+78h]
xchg edx, edx
add eax, dword ptr [ebp-04h]
and ecx, FFFFFFFFh
and ecx, FFFFFFFFh
mov ebx, dword ptr [eax+20h]
nop
add ebx, dword ptr [ebp-04h]
mov ecx, dword ptr [eax+1Ch]
add ecx, dword ptr [ebp-04h]
xchg ebx, ebx
and eax, eax
mov edx, dword ptr [eax+24h]
add edx, dword ptr [ebp-04h]
or ecx, ecx
push ecx
and eax, eax
mov esi, dword ptr [ebx]
or ecx, ecx
and eax, eax
and edx, FFFFFFFFh
add esi, dword ptr [ebp-04h]
and edx, FFFFFFFFh
and ebx, FFFFFFFFh
push edx
push esi
and edx, FFFFFFFFh
xchg edx, edx
call 00007FBD74F85A6Ch
or ebx, ebx
or eax, eax
or eax, eax
pop edx
and edx, edx
cmp eax, 0038D13Ch
je 00007FBD74F859B3h
add ebx, 04h
add edx, 02h
jmp 00007FBD74F85966h
or eax, eax
pop ecx
and edx, edx
and ecx, ecx
xor ebx, ebx
xchg ebx, ebx
mov bx, word ptr [edx]
or edx, edx
or ecx, ecx
imul ebx, ebx, 04h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_RESOURCE0x18e0000x7e62.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x13f9ae0x13fa00False0.238771631795PE32 executable (GUI) Intel 80386, for MS Windows4.31097129452IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x1410000x7b80x800False0.623046875data5.6759037632IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x1420000x4aacf0x4ac00False0.969752691263data7.97592063341IMAGE_SCN_MEM_READ
.tls0x18d0000x7c0x200False0.052734375data0.118369631259IMAGE_SCN_MEM_READ
.rsrc0x18e0000x7e620x8000False0.276885986328data5.1412464449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x18e1440x468GLS_BINARY_LSB_FIRST
RT_ICON0x18e5ac0x10a8data
RT_ICON0x18f6540x25a8data
RT_ICON0x191bfc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON0x195e240x3edata

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Dec 3, 2020 09:55:15.382527113 CET6426753192.168.2.68.8.8.8
Dec 3, 2020 09:55:15.409651041 CET53642678.8.8.8192.168.2.6
Dec 3, 2020 09:55:27.598934889 CET4944853192.168.2.68.8.8.8
Dec 3, 2020 09:55:27.626153946 CET53494488.8.8.8192.168.2.6
Dec 3, 2020 09:55:30.712460995 CET6034253192.168.2.68.8.8.8
Dec 3, 2020 09:55:30.739506006 CET53603428.8.8.8192.168.2.6
Dec 3, 2020 09:55:42.195780993 CET6134653192.168.2.68.8.8.8
Dec 3, 2020 09:55:42.222894907 CET53613468.8.8.8192.168.2.6
Dec 3, 2020 09:55:48.526441097 CET5177453192.168.2.68.8.8.8
Dec 3, 2020 09:55:48.562110901 CET53517748.8.8.8192.168.2.6
Dec 3, 2020 09:55:48.740497112 CET5602353192.168.2.68.8.8.8
Dec 3, 2020 09:55:48.767518997 CET53560238.8.8.8192.168.2.6
Dec 3, 2020 09:55:49.060944080 CET5838453192.168.2.68.8.8.8
Dec 3, 2020 09:55:49.088076115 CET53583848.8.8.8192.168.2.6
Dec 3, 2020 09:55:49.610852003 CET6026153192.168.2.68.8.8.8
Dec 3, 2020 09:55:49.646439075 CET53602618.8.8.8192.168.2.6
Dec 3, 2020 09:55:49.963970900 CET5606153192.168.2.68.8.8.8
Dec 3, 2020 09:55:49.999511003 CET53560618.8.8.8192.168.2.6
Dec 3, 2020 09:55:50.032325029 CET5833653192.168.2.68.8.8.8
Dec 3, 2020 09:55:50.059374094 CET53583368.8.8.8192.168.2.6
Dec 3, 2020 09:55:50.355537891 CET5378153192.168.2.68.8.8.8
Dec 3, 2020 09:55:50.391247034 CET53537818.8.8.8192.168.2.6
Dec 3, 2020 09:55:50.830770969 CET5406453192.168.2.68.8.8.8
Dec 3, 2020 09:55:50.857815981 CET53540648.8.8.8192.168.2.6
Dec 3, 2020 09:55:50.987785101 CET5281153192.168.2.68.8.8.8
Dec 3, 2020 09:55:51.023884058 CET5529953192.168.2.68.8.8.8
Dec 3, 2020 09:55:51.038671970 CET53528118.8.8.8192.168.2.6
Dec 3, 2020 09:55:51.050940990 CET53552998.8.8.8192.168.2.6
Dec 3, 2020 09:55:51.278572083 CET6374553192.168.2.68.8.8.8
Dec 3, 2020 09:55:51.314137936 CET53637458.8.8.8192.168.2.6
Dec 3, 2020 09:55:52.014503002 CET5005553192.168.2.68.8.8.8
Dec 3, 2020 09:55:52.041543007 CET53500558.8.8.8192.168.2.6
Dec 3, 2020 09:55:52.042524099 CET6137453192.168.2.68.8.8.8
Dec 3, 2020 09:55:52.078263998 CET53613748.8.8.8192.168.2.6
Dec 3, 2020 09:55:52.772540092 CET5033953192.168.2.68.8.8.8
Dec 3, 2020 09:55:52.807884932 CET53503398.8.8.8192.168.2.6
Dec 3, 2020 09:55:53.305727005 CET6330753192.168.2.68.8.8.8
Dec 3, 2020 09:55:53.341255903 CET53633078.8.8.8192.168.2.6
Dec 3, 2020 09:55:54.202275038 CET4969453192.168.2.68.8.8.8
Dec 3, 2020 09:55:54.254012108 CET53496948.8.8.8192.168.2.6
Dec 3, 2020 09:55:59.313374043 CET5498253192.168.2.68.8.8.8
Dec 3, 2020 09:55:59.340518951 CET53549828.8.8.8192.168.2.6
Dec 3, 2020 09:56:01.322101116 CET5001053192.168.2.68.8.8.8
Dec 3, 2020 09:56:01.358037949 CET53500108.8.8.8192.168.2.6
Dec 3, 2020 09:56:01.899019003 CET6371853192.168.2.68.8.8.8
Dec 3, 2020 09:56:01.936269999 CET53637188.8.8.8192.168.2.6
Dec 3, 2020 09:56:02.475178003 CET6211653192.168.2.68.8.8.8
Dec 3, 2020 09:56:02.502134085 CET53621168.8.8.8192.168.2.6
Dec 3, 2020 09:56:03.477876902 CET6381653192.168.2.68.8.8.8
Dec 3, 2020 09:56:03.504909039 CET53638168.8.8.8192.168.2.6
Dec 3, 2020 09:56:04.812575102 CET5501453192.168.2.68.8.8.8
Dec 3, 2020 09:56:04.839746952 CET53550148.8.8.8192.168.2.6
Dec 3, 2020 09:56:05.995042086 CET6220853192.168.2.68.8.8.8
Dec 3, 2020 09:56:06.022115946 CET53622088.8.8.8192.168.2.6
Dec 3, 2020 09:56:07.062769890 CET5757453192.168.2.68.8.8.8
Dec 3, 2020 09:56:07.090977907 CET53575748.8.8.8192.168.2.6
Dec 3, 2020 09:56:08.196661949 CET5181853192.168.2.68.8.8.8
Dec 3, 2020 09:56:08.223818064 CET53518188.8.8.8192.168.2.6
Dec 3, 2020 09:56:09.229789972 CET5662853192.168.2.68.8.8.8
Dec 3, 2020 09:56:09.265063047 CET53566288.8.8.8192.168.2.6
Dec 3, 2020 09:56:35.032382965 CET6077853192.168.2.68.8.8.8
Dec 3, 2020 09:56:35.069066048 CET53607788.8.8.8192.168.2.6
Dec 3, 2020 09:56:39.613584042 CET5379953192.168.2.68.8.8.8
Dec 3, 2020 09:56:39.640738964 CET53537998.8.8.8192.168.2.6
Dec 3, 2020 09:56:40.717015028 CET5468353192.168.2.68.8.8.8
Dec 3, 2020 09:56:40.744045019 CET53546838.8.8.8192.168.2.6
Dec 3, 2020 09:56:55.302460909 CET5932953192.168.2.68.8.8.8
Dec 3, 2020 09:56:55.329572916 CET53593298.8.8.8192.168.2.6
Dec 3, 2020 09:57:11.626024008 CET6402153192.168.2.68.8.8.8
Dec 3, 2020 09:57:11.653177977 CET53640218.8.8.8192.168.2.6
Dec 3, 2020 09:57:13.986433029 CET5612953192.168.2.68.8.8.8
Dec 3, 2020 09:57:14.013592005 CET53561298.8.8.8192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Start time:09:55:07
Start date:03/12/2020
Path:C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe'
Imagebase:0x400000
File size:1651712 bytes
MD5 hash:5533EC4C49C29A1225D1B01D38933BD4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

General

Start time:09:55:09
Start date:03/12/2020
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 212
Imagebase:0x3a0000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >