Analysis
-
max time kernel
135s -
max time network
31s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 07:00
Static task
static1
Behavioral task
behavioral1
Sample
Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
-
Size
4.6MB
-
MD5
7130e2694cca996709191b76808eef93
-
SHA1
b1365ba832f6c4d6e03fc82404b966a8fa851145
-
SHA256
4feb056769f2ac7fb07a65bfd3d5ca0fc22e8f3b3cf046fc586c782935ca2445
-
SHA512
a2ce34dcb242d7925e610c88ad7faf8ff4396044c5da4f798bcde88e61f3643e9aff97da91a2b5a939c5007b0774517058729be17dadd45a27c6fa34a68ae024
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Shipmet_Documents_DHL_AWB #7849402748,pdf.exeTriou.exedescription pid process Token: SeDebugPrivilege 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe Token: SeDebugPrivilege 568 Triou.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Shipmet_Documents_DHL_AWB #7849402748,pdf.exeTriou.exepid process 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe 568 Triou.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Shipmet_Documents_DHL_AWB #7849402748,pdf.execmd.exedescription pid process target process PID 1312 wrote to memory of 1840 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe cmd.exe PID 1312 wrote to memory of 1840 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe cmd.exe PID 1312 wrote to memory of 1840 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe cmd.exe PID 1312 wrote to memory of 1840 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe cmd.exe PID 1840 wrote to memory of 1780 1840 cmd.exe reg.exe PID 1840 wrote to memory of 1780 1840 cmd.exe reg.exe PID 1840 wrote to memory of 1780 1840 cmd.exe reg.exe PID 1840 wrote to memory of 1780 1840 cmd.exe reg.exe PID 1312 wrote to memory of 568 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe Triou.exe PID 1312 wrote to memory of 568 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe Triou.exe PID 1312 wrote to memory of 568 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe Triou.exe PID 1312 wrote to memory of 568 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe Triou.exe -
Loads dropped DLL 1 IoCs
Processes:
Shipmet_Documents_DHL_AWB #7849402748,pdf.exepid process 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe -
Executes dropped EXE 1 IoCs
Processes:
Triou.exepid process 568 Triou.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Awrade = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Triou.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipmet_Documents_DHL_AWB #7849402748,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Shipmet_Documents_DHL_AWB #7849402748,pdf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Awrade /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Triou.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Awrade /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Triou.exe"3⤵
- Adds Run entry to start application
PID:1780 -
C:\Users\Admin\AppData\Roaming\Triou.exe"C:\Users\Admin\AppData\Roaming\Triou.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Triou.exe
-
C:\Users\Admin\AppData\Roaming\Triou.exe
-
\Users\Admin\AppData\Roaming\Triou.exe
-
memory/568-7-0x0000000000000000-mapping.dmp
-
memory/1312-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1780-5-0x0000000000000000-mapping.dmp
-
memory/1840-4-0x0000000000000000-mapping.dmp