Analysis
-
max time kernel
52s -
max time network
56s -
platform
windows7_x64 -
resource
win7 -
submitted
29-06-2020 18:08
Static task
static1
Behavioral task
behavioral1
Sample
BCM1940224 pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
BCM1940224 pdf.exe
Resource
win10
General
-
Target
BCM1940224 pdf.exe
-
Size
872KB
-
MD5
e03b9b92da8fbc6addeec4d471497c10
-
SHA1
172ad64a0574bf483b2154d76618499411b84059
-
SHA256
6645ca72c1da8e6325dc17645413624742d223df8ca65c6a178ff600bc00cb52
-
SHA512
322f21d4851b5fb4e4249d5b7e0cb88a5c739fb88e56403fa86c9bfaa425effb56db1813fdc87cd128adc487bf2020d09f9faad7934e456f6b25cf12f174a50a
Malware Config
Signatures
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1256-0-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1256-2-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1256-3-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
BCM1940224 pdf.exeBCM1940224 pdf.exepid process 1100 BCM1940224 pdf.exe 1256 BCM1940224 pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
BCM1940224 pdf.exedescription pid process target process PID 1100 wrote to memory of 1256 1100 BCM1940224 pdf.exe BCM1940224 pdf.exe PID 1100 wrote to memory of 1256 1100 BCM1940224 pdf.exe BCM1940224 pdf.exe PID 1100 wrote to memory of 1256 1100 BCM1940224 pdf.exe BCM1940224 pdf.exe PID 1100 wrote to memory of 1256 1100 BCM1940224 pdf.exe BCM1940224 pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
BCM1940224 pdf.exepid process 1100 BCM1940224 pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BCM1940224 pdf.exedescription pid process Token: SeDebugPrivilege 1256 BCM1940224 pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BCM1940224 pdf.exedescription pid process target process PID 1100 set thread context of 1256 1100 BCM1940224 pdf.exe BCM1940224 pdf.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1256-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1256-1-0x000000000044E550-mapping.dmp
-
memory/1256-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1256-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1256-4-0x0000000001BE0000-0x0000000001C02000-memory.dmpFilesize
136KB
-
memory/1256-5-0x0000000001D32000-0x0000000001D33000-memory.dmpFilesize
4KB
-
memory/1256-6-0x00000000003C0000-0x00000000003DC000-memory.dmpFilesize
112KB