112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818

General

Target

PO##4354267813...pdf.exe
Size

336KB
MD5

c5fb3b2e9f90517e533c327808e3dc2d
SHA1

2a36c1413dc4276c3c1f57cf392f93285380a93a
SHA256

112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818
SHA512

eb254fd0b9577f382b3b29d999a0f43e1643e85aeca13fd0887eadf33a77a116612c739297e90f6b0aadb392e5aefa1a435b9bf6443e7c21acc62c3a88c38054

Score

7^/10

Malware Config

Signatures

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 556	1492	PO##4354267813...pdf.exe	24
PID 1492 wrote to memory of 556	1492	PO##4354267813...pdf.exe	24
PID 1492 wrote to memory of 556	1492	PO##4354267813...pdf.exe	24
PID 1492 wrote to memory of 556	1492	PO##4354267813...pdf.exe	24
PID 1492 wrote to memory of 1108	1492	PO##4354267813...pdf.exe	25
PID 1492 wrote to memory of 1108	1492	PO##4354267813...pdf.exe	25
PID 1492 wrote to memory of 1108	1492	PO##4354267813...pdf.exe	25
PID 1492 wrote to memory of 1108	1492	PO##4354267813...pdf.exe	25
PID 1492 wrote to memory of 1108	1492	PO##4354267813...pdf.exe	25
PID 1492 wrote to memory of 1108	1492	PO##4354267813...pdf.exe	25
PID 1492 wrote to memory of 1108	1492	PO##4354267813...pdf.exe	25
PID 1228 wrote to memory of 1028	1228	Explorer.EXE	26
PID 1228 wrote to memory of 1028	1228	Explorer.EXE	26
PID 1228 wrote to memory of 1028	1228	Explorer.EXE	26
PID 1228 wrote to memory of 1028	1228	Explorer.EXE	26
PID 1228 wrote to memory of 1028	1228	Explorer.EXE	26
PID 1228 wrote to memory of 1028	1228	Explorer.EXE	26
PID 1228 wrote to memory of 1028	1228	Explorer.EXE	26
PID 1028 wrote to memory of 1496	1028	cmstp.exe	27
PID 1028 wrote to memory of 1496	1028	cmstp.exe	27
PID 1028 wrote to memory of 1496	1028	cmstp.exe	27
PID 1028 wrote to memory of 1496	1028	cmstp.exe	27

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	PO##4354267813...pdf.exe
Token: SeDebugPrivilege	1108	PO##4354267813...pdf.exe
Token: SeDebugPrivilege	1028	cmstp.exe
Token: SeShutdownPrivilege	1228	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1492	PO##4354267813...pdf.exe
1108	PO##4354267813...pdf.exe
1108	PO##4354267813...pdf.exe
1108	PO##4354267813...pdf.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe
1028	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1108	PO##4354267813...pdf.exe
1108	PO##4354267813...pdf.exe
1108	PO##4354267813...pdf.exe
1108	PO##4354267813...pdf.exe
1028	cmstp.exe
1028	cmstp.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 1108	1492	PO##4354267813...pdf.exe	25
PID 1108 set thread context of 1228	1108	PO##4354267813...pdf.exe	20
PID 1108 set thread context of 1228	1108	PO##4354267813...pdf.exe	20
PID 1028 set thread context of 1228	1028	cmstp.exe	20

Deletes itself 1 IoCs

pid	Process
1496	cmd.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1228
- C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe
    "{path}"
    3⤵
    PID:556
- - C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe
    "{path}"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    PID:1108
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PO##4354267813...pdf.exe"
    3⤵
    - Deletes itself
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-5-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/1028-7-0x00000000009D0000-0x0000000000A82000-memory.dmp

Filesize
712KB

Download
memory/1108-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing