Analysis
-
max time kernel
100s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-08-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
290321 de bon de commande,pdf.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
290321 de bon de commande,pdf.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
290321 de bon de commande,pdf.exe
-
Size
689KB
-
MD5
efa94719f0d14b3f8f330e5c7949dd2f
-
SHA1
6232070998c6d992941b4a5be9008efaf4af2370
-
SHA256
98f868900b27ba82ac18f919dc551ea15dc310813eb1538ebf2d0ab3afaa8328
-
SHA512
084f16cb4697e46744442c482c40a79f67262b2887087f3d21994aa24106d843ff7f4ecedfd4296e2922ccbcdfddb029a3130c6c493dfb1aa5b843e84f56acca
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid process 12 1660 mshta.exe 15 1660 mshta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
290321 de bon de commande,pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nudxspy = "C:\\Users\\Public\\Libraries\\ypsxduN.url" 290321 de bon de commande,pdf.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
290321 de bon de commande,pdf.exedescription pid process target process PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe PID 1996 wrote to memory of 1660 1996 290321 de bon de commande,pdf.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\290321 de bon de commande,pdf.exe"C:\Users\Admin\AppData\Local\Temp\290321 de bon de commande,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\System32\mshta.exe2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1660-62-0x0000000000000000-mapping.dmp
-
memory/1660-66-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1660-65-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1660-64-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1660-68-0x0000000000190000-0x00000000001C4000-memory.dmpFilesize
208KB
-
memory/1660-67-0x0000000010550000-0x0000000010586000-memory.dmpFilesize
216KB
-
memory/1996-60-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1996-61-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB