4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b

General

Target

Payment_Confirmation pdf.exe
Size

436KB
MD5

767f88a961bfbc1b8f8419a32fbade0b
SHA1

5577d0635fca390c305ff560ca80a6ea19ff7c5b
SHA256

4f0035201ba7a3a536727862b8ac8dbf389038c5af1674ff7a982190fed1e30b
SHA512

c5ebaabcd0ecdd1d0a29e8964b02b8fad9961d7b2f144f0ad9a9b00e94cff1c4656c3154219a08ff062d97ad8d2b083a584cab7dd6e0417f233249ac3a2926c3

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Payment_Confirmation pdf.exe

pid	process
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe
640	Payment_Confirmation pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Payment_Confirmation pdf.exe

description pid process

Token: SeDebugPrivilege 640 Payment_Confirmation pdf.exe

description	pid	process
Token: SeDebugPrivilege	640	Payment_Confirmation pdf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Payment_Confirmation pdf.exe

description	pid	process	target process
PID 640 wrote to memory of 3768	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3768	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3768	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3852	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3852	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3852	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3028	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3028	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3028	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3996	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3996	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 3996	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 2024	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 2024	640	Payment_Confirmation pdf.exe	vbc.exe
PID 640 wrote to memory of 2024	640	Payment_Confirmation pdf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Payment_Confirmation pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Confirmation pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2024

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-2-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/640-3-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/640-5-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/640-6-0x0000000005270000-0x0000000005282000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing