Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 08:29
Static task
static1
Behavioral task
behavioral1
Sample
Overdue Invoice.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
Overdue Invoice.exe
-
Size
614KB
-
MD5
fc0c4e91f8407bc6d4d650924e7a4fae
-
SHA1
6dd4286594c7d6171c9cf8479cd6a2b0821d053f
-
SHA256
e630a2d0f63e21c38730606f15825c625d37eb1ff5b038724b403a1f72c591ec
-
SHA512
038c6d7e7a455bf79fc9c5e77800d04be999b0ba84568eb90b18fb622577ceb54fa4ab5854bc8386b48d6cbaa53008993f94eb8172b6d8d74107cdb741ef811f
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1404 1772 WerFault.exe Overdue Invoice.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1404 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Overdue Invoice.exedescription pid process target process PID 1772 wrote to memory of 1404 1772 Overdue Invoice.exe WerFault.exe PID 1772 wrote to memory of 1404 1772 Overdue Invoice.exe WerFault.exe PID 1772 wrote to memory of 1404 1772 Overdue Invoice.exe WerFault.exe PID 1772 wrote to memory of 1404 1772 Overdue Invoice.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 6682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1404-60-0x0000000000000000-mapping.dmp
-
memory/1404-61-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1772-55-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/1772-57-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/1772-58-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB
-
memory/1772-59-0x0000000004C40000-0x0000000004C97000-memory.dmpFilesize
348KB