Analysis
-
max time kernel
66s -
max time network
112s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 18:08
General
-
Target
BCM1940224 pdf.exe
-
Size
872KB
-
MD5
e03b9b92da8fbc6addeec4d471497c10
-
SHA1
172ad64a0574bf483b2154d76618499411b84059
-
SHA256
6645ca72c1da8e6325dc17645413624742d223df8ca65c6a178ff600bc00cb52
-
SHA512
322f21d4851b5fb4e4249d5b7e0cb88a5c739fb88e56403fa86c9bfaa425effb56db1813fdc87cd128adc487bf2020d09f9faad7934e456f6b25cf12f174a50a
Score
8/10
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3620-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3620-1-0x000000000044E550-mapping.dmp
-
memory/3620-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3620-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3620-4-0x00000000008D0000-0x00000000008F2000-memory.dmpFilesize
136KB
-
memory/3620-5-0x00000000009C2000-0x00000000009C3000-memory.dmpFilesize
4KB