Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 09:34
Static task
static1
Behavioral task
behavioral1
Sample
Original BL_pdf.scr
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Original BL_pdf.scr
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
Original BL_pdf.scr
-
Size
136KB
-
MD5
7fd79d1258fa8ed52e0d49bd780acd2e
-
SHA1
ede2f547aae04f958172240dfd6cd0b76990e006
-
SHA256
581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03
-
SHA512
8b093424dccf6f879a792a6516536c8e02d771d0f7cd69eb706c553a0d75121a2cf9172c0f91de0c53189ce8eb6928e0b2a3ec4503024d63eb3090ec22c0feb0
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Appdata\\Yourphone.scr" ieinstal.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Original BL_pdf.scrieinstal.exepid process 1756 Original BL_pdf.scr 1300 ieinstal.exe 1300 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Original BL_pdf.scrdescription pid process target process PID 1756 set thread context of 1300 1756 Original BL_pdf.scr ieinstal.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Original BL_pdf.scrpid process 1756 Original BL_pdf.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Original BL_pdf.scrieinstal.exepid process 1756 Original BL_pdf.scr 1300 ieinstal.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Original BL_pdf.scrdescription pid process target process PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe PID 1756 wrote to memory of 1300 1756 Original BL_pdf.scr ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx