Analysis
-
max time kernel
24s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02/12/2020, 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment Advice.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
Payment Advice.exe
-
Size
21KB
-
MD5
361662a43b699d9ec3cdfd282ae7d223
-
SHA1
1ed81bf68e94e16d1e56a78dc71c9fcd993e0973
-
SHA256
e39ed8bfee05ab6d964885748f4800bf955b47b59002213e34e5b9d331882b98
-
SHA512
0d1898d0b7204e2154d5d3b6a38d6b1d69e27d7368d6f214cc10e0d711e42293876ed18e5d228e18f4dcaaea6de02dd672a20820513e724fce917960b83a2f42
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3132 2432 WerFault.exe 67 -
Delays execution with timeout.exe 1 IoCs
pid Process 3708 timeout.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe 3132 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2432 Payment Advice.exe Token: SeRestorePrivilege 3132 WerFault.exe Token: SeBackupPrivilege 3132 WerFault.exe Token: SeDebugPrivilege 3132 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2128 2432 Payment Advice.exe 75 PID 2432 wrote to memory of 2128 2432 Payment Advice.exe 75 PID 2432 wrote to memory of 2128 2432 Payment Advice.exe 75 PID 2128 wrote to memory of 3708 2128 cmd.exe 77 PID 2128 wrote to memory of 3708 2128 cmd.exe 77 PID 2128 wrote to memory of 3708 2128 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 4.8912⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\timeout.exetimeout 4.8913⤵
- Delays execution with timeout.exe
PID:3708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 17242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-