c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d

General

Target

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
Size

223KB
MD5

0b89e3e11d64e96a9eb841c297c3e795
SHA1

ee91492d04556958af32986a5f235a4c528c9178
SHA256

c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d
SHA512

d91acd5c4b45ef6b7f5a6a006c74e067e193bbac6beef17f5c8893fbed0e6f40d3cde335b21f1068a48f5ba6e4164616d568dcab58bb306c18a5fada16aed690

Score

8^/10

persistence

Malware Config

Signatures

NTFS ADS 1 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description ioc process

File created C:\ProgramData:ApplicationData INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exeINV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exeadobe.exe

description	pid	process	target process
PID 3820 wrote to memory of 3812	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	schtasks.exe
PID 3820 wrote to memory of 3812	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	schtasks.exe
PID 3820 wrote to memory of 3812	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	schtasks.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3820 wrote to memory of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 3804 wrote to memory of 3960	3804	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	powershell.exe
PID 3804 wrote to memory of 3960	3804	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	powershell.exe
PID 3804 wrote to memory of 3960	3804	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	powershell.exe
PID 3804 wrote to memory of 1820	3804	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	adobe.exe
PID 3804 wrote to memory of 1820	3804	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	adobe.exe
PID 3804 wrote to memory of 1820	3804	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	adobe.exe
PID 1820 wrote to memory of 2128	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2128	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2128	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2132	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2132	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2132	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2136	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2136	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2136	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2444	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2444	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2444	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2484	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2484	1820	adobe.exe	adobe.exe
PID 1820 wrote to memory of 2484	1820	adobe.exe	adobe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description	pid	process	target process
PID 3820 set thread context of 3804	3820	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

Executes dropped EXE 6 IoCs

Processes:

adobe.exeadobe.exeadobe.exeadobe.exeadobe.exeadobe.exe

pid process

1820 adobe.exe
2128 adobe.exe
2132 adobe.exe
2136 adobe.exe
2444 adobe.exe
2484 adobe.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3008 3960 WerFault.exe powershell.exe

pid	process
1820	adobe.exe
2128	adobe.exe
2132	adobe.exe
2136	adobe.exe
2444	adobe.exe
2484	adobe.exe

pid	pid_target	process	target process
3008	3960	WerFault.exe	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeadobe.exe

description	pid	process
Token: SeRestorePrivilege	3008	WerFault.exe
Token: SeBackupPrivilege	3008	WerFault.exe
Token: SeDebugPrivilege	3008	WerFault.exe
Token: SeDebugPrivilege	1820	adobe.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

WerFault.exeadobe.exe

pid	process
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe
1820	adobe.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3812 schtasks.exe

pid	process
3812	schtasks.exe

Drops startup file 2 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft.exe = "C:\\ProgramData\\adobe.exe"	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

C:\Users\Admin\AppData\Local\Temp\INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIIBrU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7951.tmp"
2⤵
- Creates scheduled task(s)
PID:3812

C:\Users\Admin\AppData\Local\Temp\INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
"{path}"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Drops startup file
- Adds Run entry to start application
PID:3804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 700
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\ProgramData\adobe.exe
"C:\ProgramData\adobe.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\ProgramData\adobe.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2128

C:\ProgramData\adobe.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2132

C:\ProgramData\adobe.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2136

C:\ProgramData\adobe.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2444

C:\ProgramData\adobe.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7951.tmp

Download Submit
memory/1820-6-0x0000000000000000-mapping.dmp

Download
memory/3008-16-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3008-10-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/3804-4-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3804-3-0x0000000000405A3D-mapping.dmp

Download
memory/3804-2-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3812-0-0x0000000000000000-mapping.dmp

Download
memory/3960-5-0x0000000000000000-mapping.dmp

Download
memory/3960-15-0x0000000000000000-mapping.dmp

Download
memory/3960-13-0x0000000000000000-mapping.dmp

Download
memory/3960-14-0x0000000000000000-mapping.dmp

Download
memory/3960-11-0x0000000000000000-mapping.dmp

Download
memory/3960-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads