Analysis
-
max time kernel
38s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe
-
Size
27KB
-
MD5
4dc3ea5a5834d3dfdb1e539d639bbd40
-
SHA1
adb17342c8af9f6dfca3506ac9da9da886b81d88
-
SHA256
f4a373fc450be3031cd58ed55a1a1e3357851bc25a63c16f0804ea035d3b881d
-
SHA512
1e1c0efdde9aba9b7472d92fdc2f95ea4b4beaec517737d98377b19dcdd2d992040ca32a9c0eea4a5d367040ea9e0acbd3b66a2d582e24d5100a725c84f593e7
-
SSDEEP
384:xXqVQvSX3Ui4EGtI1g4+vU81Q5eBZAvmy8ZpHzGovUJAYkAYMjZB:wHXkTnlxUGQ5S+v7iRPPRMNB
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 908 1612 WerFault.exe DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exedescription pid process Token: SeDebugPrivilege 1612 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exedescription pid process target process PID 1612 wrote to memory of 908 1612 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe WerFault.exe PID 1612 wrote to memory of 908 1612 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe WerFault.exe PID 1612 wrote to memory of 908 1612 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe WerFault.exe PID 1612 wrote to memory of 908 1612 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 11322⤵
- Program crash