Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 10:24
Static task
static1
Behavioral task
behavioral1
Sample
DUE PAY.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
General
-
Target
DUE PAY.exe
-
Size
449KB
-
MD5
194874f2b4133a202568b640967e6e37
-
SHA1
af9378a9a173d46b099305653d9606a6503c4f5e
-
SHA256
26434fabc4eae6db7c246b4dfbd2f9153f15024c29f4d2350e91183c4fc64293
-
SHA512
ee03a017a4f008cd9429b3aaeb67fd84a92cdb2a560e186e7b92193f3ec2871eec1ae515c8c1201dd0c8d37310f908c4452319eab48da3810fd91e0e9b5e8cfb
-
SSDEEP
12288:y9qlqw40eerkszUlfEHol7wSUVQpa5HGIl:gql95ewksIqIvYKa5HGu
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1680 1660 WerFault.exe DUE PAY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DUE PAY.exedescription pid process Token: SeDebugPrivilege 1660 DUE PAY.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
DUE PAY.exedescription pid process target process PID 1660 wrote to memory of 1680 1660 DUE PAY.exe WerFault.exe PID 1660 wrote to memory of 1680 1660 DUE PAY.exe WerFault.exe PID 1660 wrote to memory of 1680 1660 DUE PAY.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DUE PAY.exe"C:\Users\Admin\AppData\Local\Temp\DUE PAY.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1660 -s 5242⤵
- Program crash
PID:1680