Analysis
-
max time kernel
131s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 09:59
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment Slip.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
Payment Slip.exe
-
Size
81KB
-
MD5
6e93f7298beda239f60083a0c5425060
-
SHA1
3eae538f716c7ef96ec27915d966e5ee8eb95f61
-
SHA256
f3a8222b6462aafcc1d47fa1a1ca8972daf438b0d98666308958982307ab88fd
-
SHA512
559cf0a364fb1e2fd6d40a0113d201e81f531c325aaf4ddb701b1343bfedb654ed7ab34a0eff07eeb5cde7e5cf674bf5cd0fabc55b3638b26e77cd8cf31c4a23
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 780 1764 WerFault.exe Payment Slip.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 780 WerFault.exe 780 WerFault.exe 780 WerFault.exe 780 WerFault.exe 780 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Slip.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1764 Payment Slip.exe Token: SeDebugPrivilege 780 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Payment Slip.exedescription pid process target process PID 1764 wrote to memory of 780 1764 Payment Slip.exe WerFault.exe PID 1764 wrote to memory of 780 1764 Payment Slip.exe WerFault.exe PID 1764 wrote to memory of 780 1764 Payment Slip.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1764 -s 9882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-58-0x0000000000000000-mapping.dmp
-
memory/780-59-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/780-60-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1764-54-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/1764-56-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/1764-57-0x000000001ACE0000-0x000000001ACE2000-memory.dmpFilesize
8KB