a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42

General

Target

Remittance Advice Copy.pdf.exe
Size

407KB
MD5

6b5336f1d7c2b76f1ef01955efb37319
SHA1

fdf5963190fcb5e95bd72a321974c76bf3c3097b
SHA256

a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42
SHA512

c8868b27013cef64d7e6ac0d42853f8a812abc998d6af4b41ad871735b9c48d85ad2da510ebcf3fb3af2e06a20afacb242fd2470d0e406d4304e5ef3beb3afdd

Score

7^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Remittance Advice Copy.pdf.exeExplorer.EXEcolorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Remittance Advice Copy.pdf.exeRemittance Advice Copy.pdf.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	1016	Remittance Advice Copy.pdf.exe
Token: SeDebugPrivilege	1356	Remittance Advice Copy.pdf.exe
Token: SeDebugPrivilege	1792	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Remittance Advice Copy.pdf.exeRemittance Advice Copy.pdf.execolorcpl.exe

pid	process
1016	Remittance Advice Copy.pdf.exe
1016	Remittance Advice Copy.pdf.exe
1356	Remittance Advice Copy.pdf.exe
1356	Remittance Advice Copy.pdf.exe
1356	Remittance Advice Copy.pdf.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe
1792	colorcpl.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Remittance Advice Copy.pdf.exeRemittance Advice Copy.pdf.execolorcpl.exe

description	pid	process	target process
PID 1016 set thread context of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1356 set thread context of 1336	1356	Remittance Advice Copy.pdf.exe	Explorer.EXE
PID 1356 set thread context of 1336	1356	Remittance Advice Copy.pdf.exe	Explorer.EXE
PID 1792 set thread context of 1336	1792	colorcpl.exe	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Remittance Advice Copy.pdf.execolorcpl.exe

pid	process
1356	Remittance Advice Copy.pdf.exe
1356	Remittance Advice Copy.pdf.exe
1356	Remittance Advice Copy.pdf.exe
1356	Remittance Advice Copy.pdf.exe
1792	colorcpl.exe
1792	colorcpl.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1776 cmd.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE
1336 Explorer.EXE
1336 Explorer.EXE
1336 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE
1336 Explorer.EXE
1336 Explorer.EXE
1336 Explorer.EXE

pid	process
1776	cmd.exe

pid	process
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE

pid	process
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE
1336	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1336

C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1016

C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe"
3⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe"
3⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1356

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1792

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Remittance Advice Copy.pdf.exe"
3⤵
- Deletes itself
PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1356-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1356-3-0x000000000041E350-mapping.dmp

Download
memory/1776-6-0x0000000000000000-mapping.dmp

Download
memory/1792-4-0x0000000000000000-mapping.dmp

Download
memory/1792-5-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download
memory/1792-7-0x0000000002FC0000-0x00000000030D4000-memory.dmp

Filesize
1.1MB

Download

description	pid	process	target process
PID 1016 wrote to memory of 1680	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1680	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1680	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1680	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1376	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1376	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1376	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1376	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1016 wrote to memory of 1356	1016	Remittance Advice Copy.pdf.exe	Remittance Advice Copy.pdf.exe
PID 1336 wrote to memory of 1792	1336	Explorer.EXE	colorcpl.exe
PID 1336 wrote to memory of 1792	1336	Explorer.EXE	colorcpl.exe
PID 1336 wrote to memory of 1792	1336	Explorer.EXE	colorcpl.exe
PID 1336 wrote to memory of 1792	1336	Explorer.EXE	colorcpl.exe
PID 1792 wrote to memory of 1776	1792	colorcpl.exe	cmd.exe
PID 1792 wrote to memory of 1776	1792	colorcpl.exe	cmd.exe
PID 1792 wrote to memory of 1776	1792	colorcpl.exe	cmd.exe
PID 1792 wrote to memory of 1776	1792	colorcpl.exe	cmd.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads