Analysis Report CUSTOM SHIPING DOCS.exe

Overview

General Information

Sample Name: CUSTOM SHIPING DOCS.exe
Analysis ID: 326327
MD5: 5533ec4c49c29a1225d1b01d38933bd4
SHA1: f3aa3401d15d44d65177ba02244c189ee1e822fb
SHA256: ed8bdc7dfb03c556a144b552517f725297acac5c046313b9f8a96432d94cdf5c
Tags: exe

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Machine Learning detection for sample
PE file has a writeable .text section
Checks if the current process is being debugged
Enables debug privileges
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Stores large binary data to the registry
Tries to load missing DLLs

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: CUSTOM SHIPING DOCS.exe Joe Sandbox ML: detected

System Summary:

barindex
PE file has a writeable .text section
Source: CUSTOM SHIPING DOCS.exe Static PE information: Section: .text IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 216
PE file contains strange resources
Source: CUSTOM SHIPING DOCS.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: CUSTOM SHIPING DOCS.exe Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: classification engine Classification label: mal48.winEXE@2/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4856
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0BF.tmp Jump to behavior
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe 'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 216
Source: CUSTOM SHIPING DOCS.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: CUSTOM SHIPING DOCS.exe Static file information: File size 1651712 > 1048576
Source: CUSTOM SHIPING DOCS.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13fa00

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WerFault.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\SysWOW64\WerFault.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326327 Sample: CUSTOM SHIPING DOCS.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 48 10 Machine Learning detection for sample 2->10 12 PE file has a writeable .text section 2->12 6 CUSTOM SHIPING DOCS.exe 2->6         started        process3 process4 8 WerFault.exe 23 9 6->8         started       
No contacted IP infos