Analysis
-
max time kernel
150s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 11:43
Static task
static1
Behavioral task
behavioral1
Sample
Customer Complaint letter NHBRC258812.PDF.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
Customer Complaint letter NHBRC258812.PDF.exe
-
Size
329KB
-
MD5
69940b99a87df030b38ab4b04281d7ff
-
SHA1
a4cecf005b0777ed740e4dc9671e87349e3017cc
-
SHA256
9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb
-
SHA512
e43a7dedfcd91b104dcf77b45fd57e28b8dc20ce5a2ae0b094479c4651c8f60154695c13ac770e975d3cecd0d7cefd6d9237428c01cbea2ef1a85f9c29eae2dd
Malware Config
Signatures
-
Processes:
Customer Complaint letter NHBRC258812.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Customer Complaint letter NHBRC258812.PDF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Customer Complaint letter NHBRC258812.PDF.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Customer Complaint letter NHBRC258812.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Customer Complaint letter NHBRC258812.PDF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Customer Complaint letter NHBRC258812.PDF.exepid process 1332 Customer Complaint letter NHBRC258812.PDF.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Customer Complaint letter NHBRC258812.PDF.exedescription pid process Token: SeDebugPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeRestorePrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeBackupPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeLoadDriverPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeCreatePagefilePrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeShutdownPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeTakeOwnershipPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeChangeNotifyPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeCreateTokenPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeMachineAccountPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeSecurityPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeAssignPrimaryTokenPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: SeCreateGlobalPrivilege 1332 Customer Complaint letter NHBRC258812.PDF.exe Token: 33 1332 Customer Complaint letter NHBRC258812.PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe"1⤵
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken