0c63172bdfe14f19a76c34ce3d9528761fc2e3b7e39d9a10ad5ee8a64cd79f29

Analysis

Target

PAYMENT ADVISE HSBC INTERNATIONAL_pdf.exe
Size

592KB
MD5

f228daa5647666d29fd8a3450293867b
SHA1

71a0babceaa1cbda858383be9daeac2dd0ab0d21
SHA256

0c63172bdfe14f19a76c34ce3d9528761fc2e3b7e39d9a10ad5ee8a64cd79f29
SHA512

cf9f75b4752014a56c857957144496565448c6e1ef13b44ee0a84690ae04b7dd7ba5756a890051cd2433513916b6d6b767674482326d7c0fc2bbb2d91c7bcfc6

Score

9^/10

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/1808-121-0x0000000005460000-0x0000000005465000-memory.dmp	CustAttr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	1808	WerFault.exe	17

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE HSBC INTERNATIONAL_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE HSBC INTERNATIONAL_pdf.exe"
1⤵
PID:1808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1120
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496

memory/1808-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1808-116-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1808-117-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/1808-118-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1808-119-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1808-120-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/1808-121-0x0000000005460000-0x0000000005465000-memory.dmp

Filesize
20KB

Download
memory/1808-122-0x0000000005370000-0x000000000586E000-memory.dmp

Filesize
5.0MB

Download