Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 14:20
Static task
static1
Behavioral task
behavioral1
Sample
proforma invoice packing list.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
proforma invoice packing list.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
proforma invoice packing list.exe
-
Size
634KB
-
MD5
48fb8e04e65715d3b3061ae94cd2c05d
-
SHA1
3b902deb417733907561e79706a4834e754231b7
-
SHA256
e5f9ad28d453a801995d0505222189cfcb86ea7baa429979c21f85ca11adf7fc
-
SHA512
c7213cc8e34fca207a3f01f3f3d79a502345f576d32361465f899f68758e29d301491ad4d96fba83c7bdeff66cf3bd4dc79663654501f426b8e58122b3f27eb6
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 868 1124 WerFault.exe proforma invoice packing list.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 868 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
proforma invoice packing list.exedescription pid process target process PID 1124 wrote to memory of 868 1124 proforma invoice packing list.exe WerFault.exe PID 1124 wrote to memory of 868 1124 proforma invoice packing list.exe WerFault.exe PID 1124 wrote to memory of 868 1124 proforma invoice packing list.exe WerFault.exe PID 1124 wrote to memory of 868 1124 proforma invoice packing list.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proforma invoice packing list.exe"C:\Users\Admin\AppData\Local\Temp\proforma invoice packing list.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 6762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/868-61-0x0000000000000000-mapping.dmp
-
memory/868-62-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1124-55-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1124-57-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1124-58-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/1124-59-0x0000000000AD0000-0x0000000000AD6000-memory.dmpFilesize
24KB
-
memory/1124-60-0x0000000005D90000-0x0000000005E24000-memory.dmpFilesize
592KB