Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
PRS TT copy_pdf.exe
Resource
win7v20201028
General
-
Target
PRS TT copy_pdf.exe
-
Size
297KB
-
MD5
c19720396e3a0517b1c3e9c75dcab551
-
SHA1
ceb4ae7e086ebfed538632b9413b7f61c23f6151
-
SHA256
147690957c45aafb5929325a902f5c45e9b3a9845f0c9b273bd1e08f5e327d12
-
SHA512
a16e89c0a6112c1bd0eb75b61337e99ccd68b19b89e6cbbfcc6baa0bcaaffe6cabc209662240d0c929205c67d0ae5822e85b43be5f9d3b7cb62b947b890f00fc
Malware Config
Extracted
formbook
http://www.destinny.com/s9zh/
paintedinafrica.com
electrumfix.download
edlange.com
tqiawy.xyz
satiscenter.xyz
nc-affiliates.com
agencybuilderforum.com
testabcde.net
venisseturf.net
rubenvdsande.com
nzmatrimony.com
mdthriftsandflips.com
virtualfxstudio.com
communityinsuranceut.com
qqbokep.com
copeva.net
bookedupdaily.com
houstongrowmyairway.com
fortunapublishing.com
empireplumbingandheating.com
globalefactory.com
alfrednelson.com
kernwide.com
soulwaves.info
iregentos.info
emfirstchoice.com
popvoc.com
clubdeproyectos.com
nathanlaube.net
davaresoon.com
girlsnightoutcollection.net
alchemdiagnostics.com
intlgrowcap.com
northeasttnrentalproperties.com
1971265.com
yobingo.ltd
comunityassn.com
pupupe.com
physicianmedspa.com
forestloretour.com
tauntongo.com
elegancescent.com
traumatotrust.com
blkdenim.com
b-taking.com
naturalhealthadvisery.com
fight-box.com
socia1security.net
prestondelnorteapartments.com
peaclbgju.icu
thegolfclubatcirclec.com
westqueenwestlofts.com
elitedesignzink.com
czpeixun.com
blossomenterpriseuganda.com
danettesgifts.com
psikometriums.com
rainbowbanks.com
deshbari.com
movementspecialistslv.com
amkcar.com
contractorsan.com
onurtel.com
dotalogy.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2728-3-0x000000000041D060-mapping.dmp xloader behavioral2/memory/2728-2-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2992-5-0x0000000000000000-mapping.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Drops desktop.ini file(s) 2 IoCs
Processes:
PRS TT copy_pdf.exedescription ioc process File created C:\Windows\assembly\Desktop.ini PRS TT copy_pdf.exe File opened for modification C:\Windows\assembly\Desktop.ini PRS TT copy_pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PRS TT copy_pdf.exevbc.exemsdt.exedescription pid process target process PID 816 set thread context of 2728 816 PRS TT copy_pdf.exe vbc.exe PID 2728 set thread context of 3048 2728 vbc.exe Explorer.EXE PID 2992 set thread context of 3048 2992 msdt.exe Explorer.EXE -
Drops file in Windows directory 3 IoCs
Processes:
PRS TT copy_pdf.exedescription ioc process File opened for modification C:\Windows\assembly PRS TT copy_pdf.exe File created C:\Windows\assembly\Desktop.ini PRS TT copy_pdf.exe File opened for modification C:\Windows\assembly\Desktop.ini PRS TT copy_pdf.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1760 816 WerFault.exe PRS TT copy_pdf.exe -
Suspicious behavior: EnumeratesProcesses 73 IoCs
Processes:
PRS TT copy_pdf.exevbc.exeWerFault.exemsdt.exepid process 816 PRS TT copy_pdf.exe 816 PRS TT copy_pdf.exe 816 PRS TT copy_pdf.exe 2728 vbc.exe 2728 vbc.exe 2728 vbc.exe 2728 vbc.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe 2992 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exemsdt.exepid process 2728 vbc.exe 2728 vbc.exe 2728 vbc.exe 2992 msdt.exe 2992 msdt.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
PRS TT copy_pdf.exevbc.exeWerFault.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 816 PRS TT copy_pdf.exe Token: SeDebugPrivilege 2728 vbc.exe Token: SeRestorePrivilege 1760 WerFault.exe Token: SeBackupPrivilege 1760 WerFault.exe Token: SeDebugPrivilege 1760 WerFault.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeDebugPrivilege 2992 msdt.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PRS TT copy_pdf.exeExplorer.EXEmsdt.exedescription pid process target process PID 816 wrote to memory of 2728 816 PRS TT copy_pdf.exe vbc.exe PID 816 wrote to memory of 2728 816 PRS TT copy_pdf.exe vbc.exe PID 816 wrote to memory of 2728 816 PRS TT copy_pdf.exe vbc.exe PID 816 wrote to memory of 2728 816 PRS TT copy_pdf.exe vbc.exe PID 816 wrote to memory of 2728 816 PRS TT copy_pdf.exe vbc.exe PID 816 wrote to memory of 2728 816 PRS TT copy_pdf.exe vbc.exe PID 3048 wrote to memory of 2992 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 2992 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 2992 3048 Explorer.EXE msdt.exe PID 2992 wrote to memory of 3044 2992 msdt.exe cmd.exe PID 2992 wrote to memory of 3044 2992 msdt.exe cmd.exe PID 2992 wrote to memory of 3044 2992 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PRS TT copy_pdf.exe"C:\Users\Admin\AppData\Local\Temp\PRS TT copy_pdf.exe"2⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 10803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1760-4-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/2728-3-0x000000000041D060-mapping.dmp
-
memory/2728-2-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2992-5-0x0000000000000000-mapping.dmp
-
memory/2992-6-0x0000000001020000-0x0000000001193000-memory.dmpFilesize
1.4MB
-
memory/2992-7-0x0000000001020000-0x0000000001193000-memory.dmpFilesize
1.4MB
-
memory/3044-8-0x0000000000000000-mapping.dmp