Analysis
-
max time kernel
13s -
max time network
65s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-01-2021 14:07
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Confirmation pdf.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment_Confirmation pdf.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Payment_Confirmation pdf.exe
-
Size
436KB
-
MD5
767f88a961bfbc1b8f8419a32fbade0b
-
SHA1
5577d0635fca390c305ff560ca80a6ea19ff7c5b
-
SHA256
4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b
-
SHA512
c5ebaabcd0ecdd1d0a29e8964b02b8fad9961d7b2f144f0ad9a9b00e94cff1c4656c3154219a08ff062d97ad8d2b083a584cab7dd6e0417f233249ac3a2926c3
Score
7/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Payment_Confirmation pdf.exepid process 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe 640 Payment_Confirmation pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment_Confirmation pdf.exedescription pid process Token: SeDebugPrivilege 640 Payment_Confirmation pdf.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Payment_Confirmation pdf.exedescription pid process target process PID 640 wrote to memory of 3768 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3768 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3768 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3852 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3852 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3852 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3028 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3028 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3028 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3996 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3996 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 3996 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 2024 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 2024 640 Payment_Confirmation pdf.exe vbc.exe PID 640 wrote to memory of 2024 640 Payment_Confirmation pdf.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment_Confirmation pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Confirmation pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/640-2-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/640-3-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/640-5-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/640-6-0x0000000005270000-0x0000000005282000-memory.dmpFilesize
72KB