d15365b3bf19a02bf5275f1ccfca8c653783ad5c5e8937bb3b0545f4c998653d

General

Target

NUEVO PEDIDO -765452629 (URGENTE),pdf.exe
Size

708KB
MD5

d0e35038719cd6c35ebc5baff4f253ff
SHA1

e8718844429a37fab6eeee50ab92607cd8457216
SHA256

d15365b3bf19a02bf5275f1ccfca8c653783ad5c5e8937bb3b0545f4c998653d
SHA512

72188603c1229061327f965e677b4c41be913c914a47f21ede223b3dcaa44330f7fc0948d232c4a1e543820beb17e193aa65c63054ad3b92c7a4d2a1bfcdb108

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NUEVO PEDIDO -765452629 (URGENTE),pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ovjpqtu = "C:\\Users\\Public\\Libraries\\utqpjvO.url"	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

304 1624 WerFault.exe secinit.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

304 WerFault.exe
304 WerFault.exe
304 WerFault.exe
304 WerFault.exe
304 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

304 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 304 WerFault.exe

pid	pid_target	process	target process
304	1624	WerFault.exe	secinit.exe

pid	process
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe

pid	process
304	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	304	WerFault.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NUEVO PEDIDO -765452629 (URGENTE),pdf.exesecinit.exe

description	pid	process	target process
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 760 wrote to memory of 1624	760	NUEVO PEDIDO -765452629 (URGENTE),pdf.exe	secinit.exe
PID 1624 wrote to memory of 304	1624	secinit.exe	WerFault.exe
PID 1624 wrote to memory of 304	1624	secinit.exe	WerFault.exe
PID 1624 wrote to memory of 304	1624	secinit.exe	WerFault.exe
PID 1624 wrote to memory of 304	1624	secinit.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\NUEVO PEDIDO -765452629 (URGENTE),pdf.exe
"C:\Users\Admin\AppData\Local\Temp\NUEVO PEDIDO -765452629 (URGENTE),pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\secinit.exe
C:\Windows\System32\secinit.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 172
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-63-0x0000000000000000-mapping.dmp

Download
memory/304-69-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/760-59-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/760-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1624-61-0x0000000000000000-mapping.dmp

Download
memory/1624-66-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1624-65-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1624-64-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1624-67-0x0000000010590000-0x000000001060D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing