6645ca72c1da8e6325dc17645413624742d223df8ca65c6a178ff600bc00cb52

General

Target

BCM1940224 pdf.exe
Size

872KB
MD5

e03b9b92da8fbc6addeec4d471497c10
SHA1

172ad64a0574bf483b2154d76618499411b84059
SHA256

6645ca72c1da8e6325dc17645413624742d223df8ca65c6a178ff600bc00cb52
SHA512

322f21d4851b5fb4e4249d5b7e0cb88a5c739fb88e56403fa86c9bfaa425effb56db1813fdc87cd128adc487bf2020d09f9faad7934e456f6b25cf12f174a50a

Score

8^/10

spyware

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1256-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1256-2-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1256-3-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BCM1940224 pdf.exeBCM1940224 pdf.exe

pid process

1100 BCM1940224 pdf.exe
1256 BCM1940224 pdf.exe

flow	ioc
3	checkip.dyndns.org

pid	process
1100	BCM1940224 pdf.exe
1256	BCM1940224 pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

BCM1940224 pdf.exe

description	pid	process	target process
PID 1100 wrote to memory of 1256	1100	BCM1940224 pdf.exe	BCM1940224 pdf.exe
PID 1100 wrote to memory of 1256	1100	BCM1940224 pdf.exe	BCM1940224 pdf.exe
PID 1100 wrote to memory of 1256	1100	BCM1940224 pdf.exe	BCM1940224 pdf.exe
PID 1100 wrote to memory of 1256	1100	BCM1940224 pdf.exe	BCM1940224 pdf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

BCM1940224 pdf.exe

pid process

1100 BCM1940224 pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BCM1940224 pdf.exe

description pid process

Token: SeDebugPrivilege 1256 BCM1940224 pdf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

BCM1940224 pdf.exe

description pid process target process

PID 1100 set thread context of 1256 1100 BCM1940224 pdf.exe BCM1940224 pdf.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1100	BCM1940224 pdf.exe

description	pid	process
Token: SeDebugPrivilege	1256	BCM1940224 pdf.exe

description	pid	process	target process
PID 1100 set thread context of 1256	1100	BCM1940224 pdf.exe	BCM1940224 pdf.exe

C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1100

C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1256-1-0x000000000044E550-mapping.dmp

Download
memory/1256-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1256-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1256-4-0x0000000001BE0000-0x0000000001C02000-memory.dmp

Filesize
136KB

Download
memory/1256-5-0x0000000001D32000-0x0000000001D33000-memory.dmp

Filesize
4KB

Download
memory/1256-6-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing