Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en -
submitted
15-09-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Payment.exe
-
Size
616KB
-
MD5
933cedbe56bd04acdbbb183a0004162b
-
SHA1
9a255a7eaa2dd334dcde3f9c8f73e8c25e3a8a65
-
SHA256
a57534ac7570e5be7e25f1c0d9745dc549d56b193ed7b1547e61ae79485edc1c
-
SHA512
42cce5f2e1d9a96bddd3312c7433a2620a3aef84c612501728f77fca159620ff4c69885933e7a2a15c72d7e8a44a0d2e76d41bb2ba6ccb7ec9be04d10cd72545
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Payment.exepid process 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe 1640 Payment.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment.exedescription pid process Token: SeDebugPrivilege 1640 Payment.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Payment.exedescription pid process target process PID 1640 wrote to memory of 320 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 320 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 320 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 320 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 1432 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 1432 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 1432 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 1432 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 528 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 528 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 528 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 528 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 956 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 956 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 956 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 956 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 2024 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 2024 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 2024 1640 Payment.exe Payment.exe PID 1640 wrote to memory of 2024 1640 Payment.exe Payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1640-52-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1640-54-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1640-55-0x0000000000510000-0x0000000000517000-memory.dmpFilesize
28KB
-
memory/1640-56-0x0000000007DA0000-0x0000000007E08000-memory.dmpFilesize
416KB
-
memory/1640-57-0x0000000004600000-0x0000000004633000-memory.dmpFilesize
204KB