Analysis

  • max time kernel
    184s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 07:48

General

  • Target

    Processing.Pdf____________________________________________________________.exe

  • Size

    478KB

  • MD5

    e46421290522060e95dc6c6ac9bab9c8

  • SHA1

    08aaa1203dca088e366ea31253ec264ca710f015

  • SHA256

    c7715cabaa44e33a7e60bc3599924d77e0021383d2f6b1b0ecd5e84bcbfb62c2

  • SHA512

    d590f467b8ebcc8805d910506585033c29c6f3f47b232cf2ebbfea91bf139e135b197ecd8a599521b25cf45fa0e46932e992842651ffe4d0c71b9c2d866369a5

  • SSDEEP

    6144:/ipL4qsxpzEeqcQL3dOk+yrctZl/nS0JSAS2cu1PfFjHNNj9iL:/6UZbzH2Ok+HbrJSycwl/j90

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe
    "C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe"
    1⤵
    • Suspicious use of NtCreateThreadExHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe
      "C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe"
      2⤵
        PID:2440
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 8
          3⤵
          • Program crash
          PID:1852
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2440 -ip 2440
      1⤵
        PID:4800

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2440-132-0x0000000000000000-mapping.dmp