Analysis
-
max time kernel
140s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:19
Static task
static1
Behavioral task
behavioral1
Sample
pagamento.pdf.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
pagamento.pdf.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
pagamento.pdf.exe
-
Size
645KB
-
MD5
2dc09d438a5d93330cdc95cbcc1f92df
-
SHA1
2b347c840695d84ee8eee712f30933089efb1da2
-
SHA256
e41ee8ef8e196d80c1db94848c6dd31eb8737b6f77d7bf63537138e110f79120
-
SHA512
e3c755b33e72e95c161a4e90ef5e8f7e2cbe06929564c0833f3245bda9778afb0d62f02c89b5320ff154118e9dffbc1277701465b31f3d7c5305c6514674c697
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pagamento.pdf.exepagamento.pdf.exedescription pid process Token: SeDebugPrivilege 1092 pagamento.pdf.exe Token: SeDebugPrivilege 1824 pagamento.pdf.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
pagamento.pdf.exepagamento.pdf.exepid process 1092 pagamento.pdf.exe 1092 pagamento.pdf.exe 1092 pagamento.pdf.exe 1824 pagamento.pdf.exe 1824 pagamento.pdf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
pagamento.pdf.exedescription pid process target process PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe PID 1092 wrote to memory of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pagamento.pdf.exedescription pid process target process PID 1092 set thread context of 1824 1092 pagamento.pdf.exe pagamento.pdf.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\pagamento.pdf.exe"C:\Users\Admin\AppData\Local\Temp\pagamento.pdf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\pagamento.pdf.exe"C:\Users\Admin\AppData\Local\Temp\pagamento.pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1824-3-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1824-4-0x000000000044622E-mapping.dmp
-
memory/1824-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1824-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB