7c55ed9770b23295ab1f5554cb98298b6f2548ce263feaeb6f5e4cd0b26524fc

General

Target

Order_024,pdf.exe
Size

4.6MB
MD5

dfb5d8ee67b5b99694fb055bbffd267e
SHA1

7907a954ba3f7bec7eda283bd6af94fcc5ea59a1
SHA256

7c55ed9770b23295ab1f5554cb98298b6f2548ce263feaeb6f5e4cd0b26524fc
SHA512

1b4857ec709de050bf623d4d43eeaef24cc1d9bb116c6185b9dfa0fbf3644467be4d33ab59205c9615f02e6e0b315a98a0ee3d3403cb1823525210a27ea0be28

Score

8^/10

persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	Order_024,pdf.exe
Token: SeDebugPrivilege	1692	jhgf.exe
Token: SeDebugPrivilege	1900	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1164	Order_024,pdf.exe
1164	Order_024,pdf.exe
1164	Order_024,pdf.exe
1164	Order_024,pdf.exe
1692	jhgf.exe
1692	jhgf.exe
1692	jhgf.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1424	1164	Order_024,pdf.exe	24
PID 1164 wrote to memory of 1424	1164	Order_024,pdf.exe	24
PID 1164 wrote to memory of 1424	1164	Order_024,pdf.exe	24
PID 1164 wrote to memory of 1424	1164	Order_024,pdf.exe	24
PID 1424 wrote to memory of 1608	1424	cmd.exe	26
PID 1424 wrote to memory of 1608	1424	cmd.exe	26
PID 1424 wrote to memory of 1608	1424	cmd.exe	26
PID 1424 wrote to memory of 1608	1424	cmd.exe	26
PID 1164 wrote to memory of 1692	1164	Order_024,pdf.exe	29
PID 1164 wrote to memory of 1692	1164	Order_024,pdf.exe	29
PID 1164 wrote to memory of 1692	1164	Order_024,pdf.exe	29
PID 1164 wrote to memory of 1692	1164	Order_024,pdf.exe	29
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30
PID 1692 wrote to memory of 1900	1692	jhgf.exe	30

Loads dropped DLL 2 IoCs

pid	Process
1164	Order_024,pdf.exe
1692	jhgf.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	jhgf.exe
1900	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 1900	1692	jhgf.exe	30

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhgfg = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\jhgf.exe"	reg.exe

C:\Users\Admin\AppData\Local\Temp\Order_024,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order_024,pdf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jhgfg /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\jhgf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v jhgfg /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\jhgf.exe"
    3⤵
    - Adds Run entry to start application
    PID:1608
- C:\Users\Admin\AppData\Roaming\jhgf.exe
  "C:\Users\Admin\AppData\Roaming\jhgf.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Loads dropped DLL
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Executes dropped EXE
    PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1900-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1900-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing