Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
Pdf.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Pdf.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Pdf.exe
-
Size
1.3MB
-
MD5
54ed627847f3f9b113c1651e52433637
-
SHA1
27a89f3e6a0f6e472f144c8bb52948245171c6f9
-
SHA256
df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa
-
SHA512
3706fe463b2daa1ac11eaa6d76e221ff3e8ff5cfc3a2cc823b8036133d7329df1dc46b48245d3211c48ee37a2d486eb4ab32eb533e2a1334b824dc269bec331b
Score
8/10
Malware Config
Signatures
-
Drops startup file 3 IoCs
Processes:
INVOICE.EXEINVOICE.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcXtrnal.url INVOICE.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat INVOICE.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start INVOICE.EXE -
NTFS ADS 1 IoCs
Processes:
INVOICE.EXEdescription ioc process File created C:\ProgramData:ApplicationData INVOICE.EXE -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
INVOICE.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" INVOICE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Pdf.exeINVOICE.EXEINVOICE.EXEimages.exeimages.exedescription pid process target process PID 4004 wrote to memory of 1396 4004 Pdf.exe INVOICE.EXE PID 4004 wrote to memory of 1396 4004 Pdf.exe INVOICE.EXE PID 4004 wrote to memory of 1396 4004 Pdf.exe INVOICE.EXE PID 1396 wrote to memory of 1688 1396 INVOICE.EXE INVOICE.EXE PID 1396 wrote to memory of 1688 1396 INVOICE.EXE INVOICE.EXE PID 1396 wrote to memory of 1688 1396 INVOICE.EXE INVOICE.EXE PID 1396 wrote to memory of 1688 1396 INVOICE.EXE INVOICE.EXE PID 1396 wrote to memory of 1688 1396 INVOICE.EXE INVOICE.EXE PID 1688 wrote to memory of 1852 1688 INVOICE.EXE powershell.exe PID 1688 wrote to memory of 1852 1688 INVOICE.EXE powershell.exe PID 1688 wrote to memory of 1852 1688 INVOICE.EXE powershell.exe PID 1688 wrote to memory of 2124 1688 INVOICE.EXE images.exe PID 1688 wrote to memory of 2124 1688 INVOICE.EXE images.exe PID 1688 wrote to memory of 2124 1688 INVOICE.EXE images.exe PID 2124 wrote to memory of 2788 2124 images.exe images.exe PID 2124 wrote to memory of 2788 2124 images.exe images.exe PID 2124 wrote to memory of 2788 2124 images.exe images.exe PID 2124 wrote to memory of 2788 2124 images.exe images.exe PID 2124 wrote to memory of 2788 2124 images.exe images.exe PID 2788 wrote to memory of 3996 2788 images.exe powershell.exe PID 2788 wrote to memory of 3996 2788 images.exe powershell.exe PID 2788 wrote to memory of 3996 2788 images.exe powershell.exe PID 2788 wrote to memory of 3876 2788 images.exe cmd.exe PID 2788 wrote to memory of 3876 2788 images.exe cmd.exe PID 2788 wrote to memory of 3876 2788 images.exe cmd.exe PID 2788 wrote to memory of 3876 2788 images.exe cmd.exe PID 2788 wrote to memory of 3876 2788 images.exe cmd.exe -
Executes dropped EXE 4 IoCs
Processes:
INVOICE.EXEINVOICE.EXEimages.exeimages.exepid process 1396 INVOICE.EXE 1688 INVOICE.EXE 2124 images.exe 2788 images.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2928 WerFault.exe Token: SeBackupPrivilege 2928 WerFault.exe Token: SeDebugPrivilege 2928 WerFault.exe Token: SeDebugPrivilege 3852 WerFault.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2928 1852 WerFault.exe powershell.exe 3852 3996 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
WerFault.exeWerFault.exepid process 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
INVOICE.EXEimages.exepid process 1396 INVOICE.EXE 1396 INVOICE.EXE 1396 INVOICE.EXE 2124 images.exe 2124 images.exe 2124 images.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
INVOICE.EXEimages.exepid process 1396 INVOICE.EXE 1396 INVOICE.EXE 1396 INVOICE.EXE 2124 images.exe 2124 images.exe 2124 images.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
INVOICE.EXEimages.exedescription pid process target process PID 1396 set thread context of 1688 1396 INVOICE.EXE INVOICE.EXE PID 2124 set thread context of 2788 2124 images.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE"C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE"C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE"3⤵
- Drops startup file
- NTFS ADS
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 7005⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 7007⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\
-
C:\ProgramData\images.exe
-
C:\ProgramData\images.exe
-
C:\ProgramData\images.exe
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE
-
memory/1396-0-0x0000000000000000-mapping.dmp
-
memory/1688-3-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1688-4-0x0000000000405907-mapping.dmp
-
memory/1852-6-0x0000000000000000-mapping.dmp
-
memory/1852-17-0x0000000000000000-mapping.dmp
-
memory/1852-22-0x0000000000000000-mapping.dmp
-
memory/1852-21-0x0000000000000000-mapping.dmp
-
memory/1852-20-0x0000000000000000-mapping.dmp
-
memory/1852-18-0x0000000000000000-mapping.dmp
-
memory/2124-7-0x0000000000000000-mapping.dmp
-
memory/2788-12-0x0000000000405907-mapping.dmp
-
memory/2928-25-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/2928-14-0x0000000004840000-0x0000000004841000-memory.dmpFilesize
4KB
-
memory/3852-30-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/3852-19-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/3876-27-0x0000000000000000-mapping.dmp
-
memory/3876-16-0x0000000000000000-mapping.dmp
-
memory/3996-24-0x0000000000000000-mapping.dmp
-
memory/3996-23-0x0000000000000000-mapping.dmp
-
memory/3996-26-0x0000000000000000-mapping.dmp
-
memory/3996-28-0x0000000000000000-mapping.dmp
-
memory/3996-29-0x0000000000000000-mapping.dmp
-
memory/3996-15-0x0000000000000000-mapping.dmp