Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 09:34
Static task
static1
Behavioral task
behavioral1
Sample
Original BL_pdf.scr
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Original BL_pdf.scr
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Original BL_pdf.scr
-
Size
136KB
-
MD5
7fd79d1258fa8ed52e0d49bd780acd2e
-
SHA1
ede2f547aae04f958172240dfd6cd0b76990e006
-
SHA256
581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03
-
SHA512
8b093424dccf6f879a792a6516536c8e02d771d0f7cd69eb706c553a0d75121a2cf9172c0f91de0c53189ce8eb6928e0b2a3ec4503024d63eb3090ec22c0feb0
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Appdata\\Yourphone.scr" ieinstal.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Original BL_pdf.scrieinstal.exepid process 500 Original BL_pdf.scr 2852 ieinstal.exe 2852 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Original BL_pdf.scrdescription pid process target process PID 500 set thread context of 2852 500 Original BL_pdf.scr ieinstal.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Original BL_pdf.scrpid process 500 Original BL_pdf.scr 500 Original BL_pdf.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Original BL_pdf.scrieinstal.exepid process 500 Original BL_pdf.scr 2852 ieinstal.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Original BL_pdf.scrdescription pid process target process PID 500 wrote to memory of 3164 500 Original BL_pdf.scr ieinstal.exe PID 500 wrote to memory of 3164 500 Original BL_pdf.scr ieinstal.exe PID 500 wrote to memory of 3164 500 Original BL_pdf.scr ieinstal.exe PID 500 wrote to memory of 2852 500 Original BL_pdf.scr ieinstal.exe PID 500 wrote to memory of 2852 500 Original BL_pdf.scr ieinstal.exe PID 500 wrote to memory of 2852 500 Original BL_pdf.scr ieinstal.exe PID 500 wrote to memory of 2852 500 Original BL_pdf.scr ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S2⤵PID:3164
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\Original BL_pdf.scr" /S2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2852