ab5f254a91426311df7fe85d3442b62c7b69dd1c6e444ef725ddcba5a06ac961

Analysis

max time kernel
77s
max time network
127s
platform
windows10_x64
resource
win10
submitted
14-07-2020 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

overdue invoice.pdf.exe
Size

1.3MB
MD5

dc5f5ae953f37c7f54a3d787fc2353ca
SHA1

75de209d727492f675faec351f728c2b9d09b565
SHA256

ab5f254a91426311df7fe85d3442b62c7b69dd1c6e444ef725ddcba5a06ac961
SHA512

32c651b7e91fd467616ab5391e4e4e51d343c4d91da4afbf8a8f63d5db2d3f60bca6cf3d77d88daa15da8cbdd7a9dccc7ab3766d859472ed7ca9e4b9ce9decd3

Score

5^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3380	dw20.exe
Token: SeBackupPrivilege	3380	dw20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3380	dw20.exe
3380	dw20.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3100 wrote to memory of 3860	3100	overdue invoice.pdf.exe	67
PID 3860 wrote to memory of 3380	3860	RegSvcs.exe	68
PID 3860 wrote to memory of 3380	3860	RegSvcs.exe	68
PID 3860 wrote to memory of 3380	3860	RegSvcs.exe	68

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 3860	3100	overdue invoice.pdf.exe	67

C:\Users\Admin\AppData\Local\Temp\overdue invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\overdue invoice.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3100
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 696
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:3380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3380-24-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-43-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-3-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/3380-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3380-48-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/3380-46-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-45-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-44-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-42-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-10-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-11-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/3380-12-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-13-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-22-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-14-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-16-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-17-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-19-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-18-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-21-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-20-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-15-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-23-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-32-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-25-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-26-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-27-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-28-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-29-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-30-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-31-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-41-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-33-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-34-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-35-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-36-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-37-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-38-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-39-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3380-40-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3860-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download