f1e52af7310c199ec5d44f16b37b6e4a7eebb3a55de5db292111440fa7d0da47

General

Target

PDFViewer.exe
Size

564KB
MD5

0b9f0463a2d36d53505c4911b74c8f08
SHA1

d5c929cbd199dadaa879fb9368103b11fb68e7fd
SHA256

f1e52af7310c199ec5d44f16b37b6e4a7eebb3a55de5db292111440fa7d0da47
SHA512

796e923ae65df8e652387628dccff85d2bfb793c99386aec34c2c6db3482d0bf97fd5586a72b4732b4bef2fe6aabd8e912b5b390068dd590d5d1a57d93f6d924

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1512-119-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

PDFViewer.exe

description pid process target process

PID 1440 set thread context of 1512 1440 PDFViewer.exe PDFViewer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PDFViewer.exe

pid process

1440 PDFViewer.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

PDFViewer.exe

pid process

1512 PDFViewer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PDFViewer.exe

description pid process

Token: SeShutdownPrivilege 1512 PDFViewer.exe
Token: SeCreatePagefilePrivilege 1512 PDFViewer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PDFViewer.exe

pid process

1440 PDFViewer.exe

description	pid	process	target process
PID 1440 set thread context of 1512	1440	PDFViewer.exe	PDFViewer.exe

pid	process
1440	PDFViewer.exe

pid	process
1512	PDFViewer.exe

description	pid	process
Token: SeShutdownPrivilege	1512	PDFViewer.exe
Token: SeCreatePagefilePrivilege	1512	PDFViewer.exe

pid	process
1440	PDFViewer.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PDFViewer.exePDFViewer.exe

description	pid	process	target process
PID 1440 wrote to memory of 1512	1440	PDFViewer.exe	PDFViewer.exe
PID 1440 wrote to memory of 1512	1440	PDFViewer.exe	PDFViewer.exe
PID 1440 wrote to memory of 1512	1440	PDFViewer.exe	PDFViewer.exe
PID 1440 wrote to memory of 1512	1440	PDFViewer.exe	PDFViewer.exe
PID 1512 wrote to memory of 844	1512	PDFViewer.exe	cmd.exe
PID 1512 wrote to memory of 844	1512	PDFViewer.exe	cmd.exe
PID 1512 wrote to memory of 844	1512	PDFViewer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe
"C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe
"C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CRBhLBbxpcaKFFVj.bat" "
3⤵
PID:844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CRBhLBbxpcaKFFVj.bat
MD5
0d1f0876bfe778ccb62df5c38b30e577

SHA1
8a3796021f1750880b7fe07eff2fd209c454c724

SHA256
d1ece5c6ebb992b301a70bcd83949fb447566ffae3baea79ec5a8499d6da88b4

SHA512
e0b8d65741d4d695d738786b480856889a3d226651ffa507e33170220e1cc7072bac87b95f0f63c6c3b485d6230d6f53169018f2d9c5b5d222214052a72f3e22

Download Submit
memory/844-121-0x0000000000000000-mapping.dmp

Download
memory/1440-116-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1440-118-0x0000000000A60000-0x0000000000A67000-memory.dmp

Filesize
28KB

Download
memory/1512-117-0x00000000004F4AD0-mapping.dmp

Download
memory/1512-119-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1512-120-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing