df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa

General

Target

Pdf.exe
Size

1.3MB
MD5

54ed627847f3f9b113c1651e52433637
SHA1

27a89f3e6a0f6e472f144c8bb52948245171c6f9
SHA256

df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa
SHA512

3706fe463b2daa1ac11eaa6d76e221ff3e8ff5cfc3a2cc823b8036133d7329df1dc46b48245d3211c48ee37a2d486eb4ab32eb533e2a1334b824dc269bec331b

Score

8^/10

persistence

Malware Config

Signatures

Drops startup file 3 IoCs

Processes:

INVOICE.EXEINVOICE.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcXtrnal.url	INVOICE.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	INVOICE.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	INVOICE.EXE

NTFS ADS 1 IoCs

Processes:

INVOICE.EXE

description ioc process

File created C:\ProgramData:ApplicationData INVOICE.EXE

description	ioc	process
File created	C:\ProgramData:ApplicationData	INVOICE.EXE

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INVOICE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	INVOICE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Pdf.exeINVOICE.EXEINVOICE.EXEimages.exeimages.exe

description	pid	process	target process
PID 4004 wrote to memory of 1396	4004	Pdf.exe	INVOICE.EXE
PID 4004 wrote to memory of 1396	4004	Pdf.exe	INVOICE.EXE
PID 4004 wrote to memory of 1396	4004	Pdf.exe	INVOICE.EXE
PID 1396 wrote to memory of 1688	1396	INVOICE.EXE	INVOICE.EXE
PID 1396 wrote to memory of 1688	1396	INVOICE.EXE	INVOICE.EXE
PID 1396 wrote to memory of 1688	1396	INVOICE.EXE	INVOICE.EXE
PID 1396 wrote to memory of 1688	1396	INVOICE.EXE	INVOICE.EXE
PID 1396 wrote to memory of 1688	1396	INVOICE.EXE	INVOICE.EXE
PID 1688 wrote to memory of 1852	1688	INVOICE.EXE	powershell.exe
PID 1688 wrote to memory of 1852	1688	INVOICE.EXE	powershell.exe
PID 1688 wrote to memory of 1852	1688	INVOICE.EXE	powershell.exe
PID 1688 wrote to memory of 2124	1688	INVOICE.EXE	images.exe
PID 1688 wrote to memory of 2124	1688	INVOICE.EXE	images.exe
PID 1688 wrote to memory of 2124	1688	INVOICE.EXE	images.exe
PID 2124 wrote to memory of 2788	2124	images.exe	images.exe
PID 2124 wrote to memory of 2788	2124	images.exe	images.exe
PID 2124 wrote to memory of 2788	2124	images.exe	images.exe
PID 2124 wrote to memory of 2788	2124	images.exe	images.exe
PID 2124 wrote to memory of 2788	2124	images.exe	images.exe
PID 2788 wrote to memory of 3996	2788	images.exe	powershell.exe
PID 2788 wrote to memory of 3996	2788	images.exe	powershell.exe
PID 2788 wrote to memory of 3996	2788	images.exe	powershell.exe
PID 2788 wrote to memory of 3876	2788	images.exe	cmd.exe
PID 2788 wrote to memory of 3876	2788	images.exe	cmd.exe
PID 2788 wrote to memory of 3876	2788	images.exe	cmd.exe
PID 2788 wrote to memory of 3876	2788	images.exe	cmd.exe
PID 2788 wrote to memory of 3876	2788	images.exe	cmd.exe

Executes dropped EXE 4 IoCs

Processes:

INVOICE.EXEINVOICE.EXEimages.exeimages.exe

pid process

1396 INVOICE.EXE
1688 INVOICE.EXE
2124 images.exe
2788 images.exe

pid	process
1396	INVOICE.EXE
1688	INVOICE.EXE
2124	images.exe
2788	images.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2928	WerFault.exe
Token: SeBackupPrivilege	2928	WerFault.exe
Token: SeDebugPrivilege	2928	WerFault.exe
Token: SeDebugPrivilege	3852	WerFault.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2928 1852 WerFault.exe powershell.exe
3852 3996 WerFault.exe powershell.exe

pid	pid_target	process	target process
2928	1852	WerFault.exe	powershell.exe
3852	3996	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe
3852	WerFault.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

INVOICE.EXEimages.exe

pid process

1396 INVOICE.EXE
1396 INVOICE.EXE
1396 INVOICE.EXE
2124 images.exe
2124 images.exe
2124 images.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

INVOICE.EXEimages.exe

pid process

1396 INVOICE.EXE
1396 INVOICE.EXE
1396 INVOICE.EXE
2124 images.exe
2124 images.exe
2124 images.exe

pid	process
1396	INVOICE.EXE
1396	INVOICE.EXE
1396	INVOICE.EXE
2124	images.exe
2124	images.exe
2124	images.exe

pid	process
1396	INVOICE.EXE
1396	INVOICE.EXE
1396	INVOICE.EXE
2124	images.exe
2124	images.exe
2124	images.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

INVOICE.EXEimages.exe

description	pid	process	target process
PID 1396 set thread context of 1688	1396	INVOICE.EXE	INVOICE.EXE
PID 2124 set thread context of 2788	2124	images.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE
"C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
PID:1396

C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE
"C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE"
3⤵
- Drops startup file
- NTFS ADS
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 700
5⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
PID:2124

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
6⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 700
7⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\

Download Submit
C:\ProgramData\images.exe

Download Submit
C:\ProgramData\images.exe

Download Submit
C:\ProgramData\images.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE

Download Submit
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE

Download Submit
C:\Users\Admin\AppData\Local\Temp\INVOICE.EXE

Download Submit
memory/1396-0-0x0000000000000000-mapping.dmp

Download
memory/1688-3-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1688-4-0x0000000000405907-mapping.dmp

Download
memory/1852-6-0x0000000000000000-mapping.dmp

Download
memory/1852-17-0x0000000000000000-mapping.dmp

Download
memory/1852-22-0x0000000000000000-mapping.dmp

Download
memory/1852-21-0x0000000000000000-mapping.dmp

Download
memory/1852-20-0x0000000000000000-mapping.dmp

Download
memory/1852-18-0x0000000000000000-mapping.dmp

Download
memory/2124-7-0x0000000000000000-mapping.dmp

Download
memory/2788-12-0x0000000000405907-mapping.dmp

Download
memory/2928-25-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2928-14-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/3852-30-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3852-19-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/3876-27-0x0000000000000000-mapping.dmp

Download
memory/3876-16-0x0000000000000000-mapping.dmp

Download
memory/3996-24-0x0000000000000000-mapping.dmp

Download
memory/3996-23-0x0000000000000000-mapping.dmp

Download
memory/3996-26-0x0000000000000000-mapping.dmp

Download
memory/3996-28-0x0000000000000000-mapping.dmp

Download
memory/3996-29-0x0000000000000000-mapping.dmp

Download
memory/3996-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads