08ad11bae99deab8e128dfea4c85f8bb46124f32a7cfae956c1b650e94f005fa | Triage

Analysis

max time kernel
47s
max time network
44s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
10-08-2022 11:16

Sharing

Report Analysis Logs

General

Target

invoice.exe
Size

16KB
MD5

aa1d9a07e0bd53a161cb35168bb1bb31
SHA1

f4503fd5b9d8b23c02bff1abd23fb17ce341f907
SHA256

08ad11bae99deab8e128dfea4c85f8bb46124f32a7cfae956c1b650e94f005fa
SHA512

1185abec300c865b7f167f583b5b2ea62b7860ad9da58d0b0779a754ea9fc783a8c49d6592e345c7840ad773936a14d9ced6e39651eeaecf3271d5acd9b36049

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1504 1892 WerFault.exe invoice.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

invoice.exe

description pid process

Token: SeDebugPrivilege 1892 invoice.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

invoice.exe

description	pid	process	target process
PID 1892 wrote to memory of 1504	1892	invoice.exe	WerFault.exe
PID 1892 wrote to memory of 1504	1892	invoice.exe	WerFault.exe
PID 1892 wrote to memory of 1504	1892	invoice.exe	WerFault.exe
PID 1892 wrote to memory of 1504	1892	invoice.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\invoice.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1052
2⤵
- Program crash
PID:1504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-56-0x0000000000000000-mapping.dmp

Download
memory/1892-54-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/1892-55-0x0000000075CC1000-0x0000000075CC3000-memory.dmp

Filesize
8KB

Download