Analysis
-
max time kernel
127s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-08-2021 17:32
Static task
static1
Behavioral task
behavioral1
Sample
NUEVO PEDIDO -765452629 (URGENTE),pdf.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
NUEVO PEDIDO -765452629 (URGENTE),pdf.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
NUEVO PEDIDO -765452629 (URGENTE),pdf.exe
-
Size
708KB
-
MD5
d0e35038719cd6c35ebc5baff4f253ff
-
SHA1
e8718844429a37fab6eeee50ab92607cd8457216
-
SHA256
d15365b3bf19a02bf5275f1ccfca8c653783ad5c5e8937bb3b0545f4c998653d
-
SHA512
72188603c1229061327f965e677b4c41be913c914a47f21ede223b3dcaa44330f7fc0948d232c4a1e543820beb17e193aa65c63054ad3b92c7a4d2a1bfcdb108
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NUEVO PEDIDO -765452629 (URGENTE),pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ovjpqtu = "C:\\Users\\Public\\Libraries\\utqpjvO.url" NUEVO PEDIDO -765452629 (URGENTE),pdf.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 304 1624 WerFault.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 304 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 304 WerFault.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
NUEVO PEDIDO -765452629 (URGENTE),pdf.exesecinit.exedescription pid process target process PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 760 wrote to memory of 1624 760 NUEVO PEDIDO -765452629 (URGENTE),pdf.exe secinit.exe PID 1624 wrote to memory of 304 1624 secinit.exe WerFault.exe PID 1624 wrote to memory of 304 1624 secinit.exe WerFault.exe PID 1624 wrote to memory of 304 1624 secinit.exe WerFault.exe PID 1624 wrote to memory of 304 1624 secinit.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NUEVO PEDIDO -765452629 (URGENTE),pdf.exe"C:\Users\Admin\AppData\Local\Temp\NUEVO PEDIDO -765452629 (URGENTE),pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\secinit.exeC:\Windows\System32\secinit.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1723⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/304-63-0x0000000000000000-mapping.dmp
-
memory/304-69-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/760-59-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/760-60-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1624-61-0x0000000000000000-mapping.dmp
-
memory/1624-66-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1624-65-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1624-64-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1624-67-0x0000000010590000-0x000000001060D000-memory.dmpFilesize
500KB