e09725931c810fdc4e6c957dc80267e520c513813498078bbd646e5874e34ab2

Analysis

Target

MV PACIFIC PRIDE_pdf.exe
Size

935KB
MD5

c7c69ce3ea541d3a88096b3a30e0d760
SHA1

46468704dff1cc47b2160a48cbe2a8b3204d349b
SHA256

e09725931c810fdc4e6c957dc80267e520c513813498078bbd646e5874e34ab2
SHA512

f21d91245fe9e62974616613b530f7122857542ff4f03357292bf7d860f13e2c489364979a759c91cbdcca8ed65ae137102d54afc0840a73bc4b326287b4562a

Score

5^/10

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1060	2804	MV PACIFIC PRIDE_pdf.exe	68
PID 2804 wrote to memory of 1060	2804	MV PACIFIC PRIDE_pdf.exe	68
PID 2804 wrote to memory of 1060	2804	MV PACIFIC PRIDE_pdf.exe	68
PID 2984 wrote to memory of 1504	2984	Explorer.EXE	70
PID 2984 wrote to memory of 1504	2984	Explorer.EXE	70
PID 2984 wrote to memory of 1504	2984	Explorer.EXE	70
PID 1504 wrote to memory of 1808	1504	cmd.exe	71
PID 1504 wrote to memory of 1808	1504	cmd.exe	71
PID 1504 wrote to memory of 1808	1504	cmd.exe	71

Suspicious behavior: MapViewOfSection 6 IoCs

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 1060	2804	MV PACIFIC PRIDE_pdf.exe	68
PID 1060 set thread context of 2984	1060	MV PACIFIC PRIDE_pdf.exe	56
PID 1504 set thread context of 2984	1504	cmd.exe	56

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	MV PACIFIC PRIDE_pdf.exe
Token: SeDebugPrivilege	1504	cmd.exe
Token: SeShutdownPrivilege	2984	Explorer.EXE
Token: SeCreatePagefilePrivilege	2984	Explorer.EXE
Token: SeShutdownPrivilege	2984	Explorer.EXE
Token: SeCreatePagefilePrivilege	2984	Explorer.EXE
Token: SeShutdownPrivilege	2984	Explorer.EXE
Token: SeCreatePagefilePrivilege	2984	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2984
- C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\MV PACIFIC PRIDE_pdf.exe"
    3⤵
    PID:1808

memory/1060-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1504-3-0x0000000001130000-0x0000000001189000-memory.dmp

Filesize
356KB

Download
memory/1504-4-0x0000000001130000-0x0000000001189000-memory.dmp

Filesize
356KB

Download
memory/1504-6-0x0000000003FC0000-0x0000000004088000-memory.dmp

Filesize
800KB

Download