Analysis
-
max time kernel
84s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-05-2021 15:32
Static task
static1
Behavioral task
behavioral1
Sample
PDFViewer.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
PDFViewer.exe
Resource
win10v20210408
General
-
Target
PDFViewer.exe
-
Size
564KB
-
MD5
0b9f0463a2d36d53505c4911b74c8f08
-
SHA1
d5c929cbd199dadaa879fb9368103b11fb68e7fd
-
SHA256
f1e52af7310c199ec5d44f16b37b6e4a7eebb3a55de5db292111440fa7d0da47
-
SHA512
796e923ae65df8e652387628dccff85d2bfb793c99386aec34c2c6db3482d0bf97fd5586a72b4732b4bef2fe6aabd8e912b5b390068dd590d5d1a57d93f6d924
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1512-119-0x0000000000400000-0x00000000004F6000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PDFViewer.exedescription pid process target process PID 1440 set thread context of 1512 1440 PDFViewer.exe PDFViewer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PDFViewer.exepid process 1440 PDFViewer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PDFViewer.exepid process 1512 PDFViewer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PDFViewer.exedescription pid process Token: SeShutdownPrivilege 1512 PDFViewer.exe Token: SeCreatePagefilePrivilege 1512 PDFViewer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PDFViewer.exepid process 1440 PDFViewer.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
PDFViewer.exePDFViewer.exedescription pid process target process PID 1440 wrote to memory of 1512 1440 PDFViewer.exe PDFViewer.exe PID 1440 wrote to memory of 1512 1440 PDFViewer.exe PDFViewer.exe PID 1440 wrote to memory of 1512 1440 PDFViewer.exe PDFViewer.exe PID 1440 wrote to memory of 1512 1440 PDFViewer.exe PDFViewer.exe PID 1512 wrote to memory of 844 1512 PDFViewer.exe cmd.exe PID 1512 wrote to memory of 844 1512 PDFViewer.exe cmd.exe PID 1512 wrote to memory of 844 1512 PDFViewer.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe"C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe"C:\Users\Admin\AppData\Local\Temp\PDFViewer.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CRBhLBbxpcaKFFVj.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CRBhLBbxpcaKFFVj.batMD5
0d1f0876bfe778ccb62df5c38b30e577
SHA18a3796021f1750880b7fe07eff2fd209c454c724
SHA256d1ece5c6ebb992b301a70bcd83949fb447566ffae3baea79ec5a8499d6da88b4
SHA512e0b8d65741d4d695d738786b480856889a3d226651ffa507e33170220e1cc7072bac87b95f0f63c6c3b485d6230d6f53169018f2d9c5b5d222214052a72f3e22
-
memory/844-121-0x0000000000000000-mapping.dmp
-
memory/1440-116-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/1440-118-0x0000000000A60000-0x0000000000A67000-memory.dmpFilesize
28KB
-
memory/1512-117-0x00000000004F4AD0-mapping.dmp
-
memory/1512-119-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1512-120-0x00000000005B0000-0x00000000006FA000-memory.dmpFilesize
1.3MB