Overview

overview

8

Static

static

MV PACIFIC...df.exe

windows7_x64

8

MV PACIFIC...df.exe

windows10_x64

5

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    13-07-2020 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MV PACIFIC PRIDE_pdf.exe

  • Size

    935KB

  • MD5

    c7c69ce3ea541d3a88096b3a30e0d760

  • SHA1

    46468704dff1cc47b2160a48cbe2a8b3204d349b

  • SHA256

    e09725931c810fdc4e6c957dc80267e520c513813498078bbd646e5874e34ab2

  • SHA512

    f21d91245fe9e62974616613b530f7122857542ff4f03357292bf7d860f13e2c489364979a759c91cbdcca8ed65ae137102d54afc0840a73bc4b326287b4562a

Score
5/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:1060
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1456
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe"
          3⤵
            PID:1808

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1060-0-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1060-1-0x000000000041E2B0-mapping.dmp
        Download
      • memory/1504-2-0x0000000000000000-mapping.dmp
        Download
      • memory/1504-3-0x0000000001130000-0x0000000001189000-memory.dmp
        Filesize

        356KB

        Download
      • memory/1504-4-0x0000000001130000-0x0000000001189000-memory.dmp
        Filesize

        356KB

        Download
      • memory/1504-6-0x0000000003FC0000-0x0000000004088000-memory.dmp
        Filesize

        800KB

        Download
      • memory/1808-5-0x0000000000000000-mapping.dmp
        Download