26434fabc4eae6db7c246b4dfbd2f9153f15024c29f4d2350e91183c4fc64293 | Triage

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 10:24

Sharing

Report Analysis Logs

General

Target

DUE PAY.exe
Size

449KB
MD5

194874f2b4133a202568b640967e6e37
SHA1

af9378a9a173d46b099305653d9606a6503c4f5e
SHA256

26434fabc4eae6db7c246b4dfbd2f9153f15024c29f4d2350e91183c4fc64293
SHA512

ee03a017a4f008cd9429b3aaeb67fd84a92cdb2a560e186e7b92193f3ec2871eec1ae515c8c1201dd0c8d37310f908c4452319eab48da3810fd91e0e9b5e8cfb
SSDEEP

12288:y9qlqw40eerkszUlfEHol7wSUVQpa5HGIl:gql95ewksIqIvYKa5HGu

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 1660 WerFault.exe DUE PAY.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DUE PAY.exe

description pid process

Token: SeDebugPrivilege 1660 DUE PAY.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

DUE PAY.exe

description	pid	process	target process
PID 1660 wrote to memory of 1680	1660	DUE PAY.exe	WerFault.exe
PID 1660 wrote to memory of 1680	1660	DUE PAY.exe	WerFault.exe
PID 1660 wrote to memory of 1680	1660	DUE PAY.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DUE PAY.exe
"C:\Users\Admin\AppData\Local\Temp\DUE PAY.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1660 -s 524
2⤵
- Program crash
PID:1680

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-54-0x0000000001130000-0x00000000011A4000-memory.dmp

Filesize
464KB

Download
memory/1680-55-0x0000000000000000-mapping.dmp

Download