Analysis
-
max time kernel
66s -
max time network
112s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 18:08
Static task
static1
Behavioral task
behavioral1
Sample
BCM1940224 pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
BCM1940224 pdf.exe
Resource
win10
General
-
Target
BCM1940224 pdf.exe
-
Size
872KB
-
MD5
e03b9b92da8fbc6addeec4d471497c10
-
SHA1
172ad64a0574bf483b2154d76618499411b84059
-
SHA256
6645ca72c1da8e6325dc17645413624742d223df8ca65c6a178ff600bc00cb52
-
SHA512
322f21d4851b5fb4e4249d5b7e0cb88a5c739fb88e56403fa86c9bfaa425effb56db1813fdc87cd128adc487bf2020d09f9faad7934e456f6b25cf12f174a50a
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
BCM1940224 pdf.exeBCM1940224 pdf.exepid process 2728 BCM1940224 pdf.exe 2728 BCM1940224 pdf.exe 3620 BCM1940224 pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
BCM1940224 pdf.exepid process 2728 BCM1940224 pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BCM1940224 pdf.exedescription pid process Token: SeDebugPrivilege 3620 BCM1940224 pdf.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/3620-0-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3620-2-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3620-3-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
BCM1940224 pdf.exedescription pid process target process PID 2728 wrote to memory of 3620 2728 BCM1940224 pdf.exe BCM1940224 pdf.exe PID 2728 wrote to memory of 3620 2728 BCM1940224 pdf.exe BCM1940224 pdf.exe PID 2728 wrote to memory of 3620 2728 BCM1940224 pdf.exe BCM1940224 pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BCM1940224 pdf.exedescription pid process target process PID 2728 set thread context of 3620 2728 BCM1940224 pdf.exe BCM1940224 pdf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"C:\Users\Admin\AppData\Local\Temp\BCM1940224 pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3620-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3620-1-0x000000000044E550-mapping.dmp
-
memory/3620-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3620-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3620-4-0x00000000008D0000-0x00000000008F2000-memory.dmpFilesize
136KB
-
memory/3620-5-0x00000000009C2000-0x00000000009C3000-memory.dmpFilesize
4KB