Analysis
-
max time kernel
78s -
max time network
33s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
05-10-2021 12:08
Static task
static1
Behavioral task
behavioral1
Sample
Payment Confirmation_pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Payment Confirmation_pdf.exe
Resource
win10v20210408
General
-
Target
Payment Confirmation_pdf.exe
-
Size
6.8MB
-
MD5
ba8d0f2355ba88d4833cb563fd88dcd5
-
SHA1
7304cb58dbb342415f9703b24f0ac1a87cf2f6df
-
SHA256
fbccca4d8868b54f1d1741eb80cf9dc88953b5fd77284b61faa2bd240023d63c
-
SHA512
ee341a10f753b829611e83b6078b9deca3dbf75541bf9395c43706e10ee17617b214be1e4ca6e5b11756d405b8a7b37c2327d44c16970e9d3d4853de078e5276
Malware Config
Signatures
-
Loads dropped DLL 14 IoCs
Processes:
Payment Confirmation_pdf.exepid process 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe 1532 Payment Confirmation_pdf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 2 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
taskmgr.exepid process 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 624 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 624 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
taskmgr.exepid process 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
taskmgr.exepid process 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe 624 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Payment Confirmation_pdf.exedescription pid process target process PID 1552 wrote to memory of 1532 1552 Payment Confirmation_pdf.exe Payment Confirmation_pdf.exe PID 1552 wrote to memory of 1532 1552 Payment Confirmation_pdf.exe Payment Confirmation_pdf.exe PID 1552 wrote to memory of 1532 1552 Payment Confirmation_pdf.exe Payment Confirmation_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation_pdf.exe"2⤵
- Loads dropped DLL
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140.dllMD5
7942be5474a095f673582997ae3054f1
SHA1e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA2568ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA51249fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_bz2.pydMD5
712a8dba2916f0261a1290a8e3d85ebf
SHA127dbfa5de547c30c457855594272545dafaeb39d
SHA256d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82
SHA512662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_ctypes.pydMD5
4786508ffadc542bd677f45af820fdb9
SHA1fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7
SHA25664f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e
SHA512ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_hashlib.pydMD5
ef3b935e7d9e1685b84636f908732b06
SHA1968bca85a6f61fa24d53fc6aa77a3f48d2b08dd6
SHA25646d3016b73ecf3713228df563971feefcbebcea9925349a0807b48f0e09877ce
SHA51234c1779b8b7cd8449afaaeabb37a9bbb895c199d06557ea301361972ce4722f3db98e2e099eb2ce52486ab60567ac8041a4b3b3e8e917256bdd9954cbb9b05b3
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_lzma.pydMD5
fea0e77f594207b8af1d240a16c6650e
SHA1dd48f108074eade8c0f84916d619bce4a97c07bb
SHA256d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0
SHA5123b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_queue.pydMD5
04849a636d85ad8bc535643580466b50
SHA117baef1ae4a1e33ed44e55c6b8de554b4814af0c
SHA25680a803b8f9e2f1034cdbf47ba13efafaf2167a7ff9e5d97259506489e4ee58bd
SHA5129a282680f9aaa5770cad88ee21ff1370a3a5209107d2965c2e6fed5d4fd40195e456c212ce4c27b89b29c68f30b666c803c9ef628e40ce8628c8664bbb8931f3
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_socket.pydMD5
bc7b1b0112427976b83911e607213c37
SHA1f4c7eb5b46ebe015a13de59f17ca158c01a377f4
SHA25685f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc
SHA51218bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_ssl.pydMD5
d1430e77cec5e84073700c3a65e3b8eb
SHA132009a7ea5e3097f38a33e3c5d73a9588f78e4a9
SHA256174ec95c793fc33a97c57709b5117ca17700b90e7c71d72c9ec4bc7757b747a9
SHA5121b49ce51e17b28eacc22e060b028697c93ee52a0a671ef615c6386c19e78a9ff67b84920fa5d8443970b53858a29c99dfcc395c0d6bc110ef125ec1c9da648f7
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\base_library.zipMD5
174bb26af0a7c7669d1fb2e54d150971
SHA1ef1ac2b122265f0bca3f776b6ae2a7becc276c35
SHA25602f81520a69cf2a1d901755f61c139f67b6e727ddcd91c46f89b74fb882d6cf6
SHA512ed4f08dbefc4a9b5a4b0051d10fb2efa80add6cf9fab258d8b1f83bcc249a1171146e89716699a3f3ad067a23f04dda28b6f7d9cf1bdcd23b945d97751f8ed19
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\certifi\cacert.pemMD5
3dcd08b803fbb28231e18b5d1eef4258
SHA1b81ea40b943cd8a0c341f3a13e5bc05090b5a72a
SHA256de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e
SHA5129cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\libcrypto-1_1.dllMD5
aa811bb63dbd4c5859b68332326f60b1
SHA16e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977
SHA25600a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0
SHA512dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\libffi-7.dllMD5
eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\libssl-1_1.dllMD5
2335285f5ac87173bd304efeddfa1d85
SHA164558d2150120abed3514db56299721c42c6fe58
SHA2561b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94
SHA51282737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\python38.dllMD5
eec355a6e9586f823a4f12bed11e6c80
SHA133627398cb32f4fbb162f38f7c277ad5b13a99ba
SHA256560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f
SHA5127b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\select.pydMD5
bb6e9825bd4a98e0700d96b59ec64f68
SHA1afd51547dad9cd7fac0efbda76b5e2388a027681
SHA256bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac
SHA5122380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964
-
C:\Users\Admin\AppData\Local\Temp\_MEI15522\unicodedata.pydMD5
c5334880576bbc751b20f6bd4baba992
SHA1ebd8b76221d4dad9931aabcbb0434752280a99d1
SHA256e5ebcc99f94766951bb75731afe07b7c4481e7ff3d252f21d39ddea7c8da4147
SHA51208c964acd3064edf0210d6f12fe55896030756537b7e272c8e0f9b5e5606a6ed91094febabe3eadef51426bd6e4b06039cd9aa41a7756671edcac84684dfabb4
-
\Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140.dllMD5
7942be5474a095f673582997ae3054f1
SHA1e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA2568ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA51249fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039
-
\Users\Admin\AppData\Local\Temp\_MEI15522\_bz2.pydMD5
712a8dba2916f0261a1290a8e3d85ebf
SHA127dbfa5de547c30c457855594272545dafaeb39d
SHA256d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82
SHA512662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9
-
\Users\Admin\AppData\Local\Temp\_MEI15522\_ctypes.pydMD5
4786508ffadc542bd677f45af820fdb9
SHA1fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7
SHA25664f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e
SHA512ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80
-
\Users\Admin\AppData\Local\Temp\_MEI15522\_hashlib.pydMD5
ef3b935e7d9e1685b84636f908732b06
SHA1968bca85a6f61fa24d53fc6aa77a3f48d2b08dd6
SHA25646d3016b73ecf3713228df563971feefcbebcea9925349a0807b48f0e09877ce
SHA51234c1779b8b7cd8449afaaeabb37a9bbb895c199d06557ea301361972ce4722f3db98e2e099eb2ce52486ab60567ac8041a4b3b3e8e917256bdd9954cbb9b05b3
-
\Users\Admin\AppData\Local\Temp\_MEI15522\_lzma.pydMD5
fea0e77f594207b8af1d240a16c6650e
SHA1dd48f108074eade8c0f84916d619bce4a97c07bb
SHA256d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0
SHA5123b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff
-
\Users\Admin\AppData\Local\Temp\_MEI15522\_queue.pydMD5
04849a636d85ad8bc535643580466b50
SHA117baef1ae4a1e33ed44e55c6b8de554b4814af0c
SHA25680a803b8f9e2f1034cdbf47ba13efafaf2167a7ff9e5d97259506489e4ee58bd
SHA5129a282680f9aaa5770cad88ee21ff1370a3a5209107d2965c2e6fed5d4fd40195e456c212ce4c27b89b29c68f30b666c803c9ef628e40ce8628c8664bbb8931f3
-
\Users\Admin\AppData\Local\Temp\_MEI15522\_socket.pydMD5
bc7b1b0112427976b83911e607213c37
SHA1f4c7eb5b46ebe015a13de59f17ca158c01a377f4
SHA25685f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc
SHA51218bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040
-
\Users\Admin\AppData\Local\Temp\_MEI15522\_ssl.pydMD5
d1430e77cec5e84073700c3a65e3b8eb
SHA132009a7ea5e3097f38a33e3c5d73a9588f78e4a9
SHA256174ec95c793fc33a97c57709b5117ca17700b90e7c71d72c9ec4bc7757b747a9
SHA5121b49ce51e17b28eacc22e060b028697c93ee52a0a671ef615c6386c19e78a9ff67b84920fa5d8443970b53858a29c99dfcc395c0d6bc110ef125ec1c9da648f7
-
\Users\Admin\AppData\Local\Temp\_MEI15522\libcrypto-1_1.dllMD5
aa811bb63dbd4c5859b68332326f60b1
SHA16e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977
SHA25600a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0
SHA512dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd
-
\Users\Admin\AppData\Local\Temp\_MEI15522\libffi-7.dllMD5
eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
\Users\Admin\AppData\Local\Temp\_MEI15522\libssl-1_1.dllMD5
2335285f5ac87173bd304efeddfa1d85
SHA164558d2150120abed3514db56299721c42c6fe58
SHA2561b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94
SHA51282737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde
-
\Users\Admin\AppData\Local\Temp\_MEI15522\python38.dllMD5
eec355a6e9586f823a4f12bed11e6c80
SHA133627398cb32f4fbb162f38f7c277ad5b13a99ba
SHA256560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f
SHA5127b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0
-
\Users\Admin\AppData\Local\Temp\_MEI15522\select.pydMD5
bb6e9825bd4a98e0700d96b59ec64f68
SHA1afd51547dad9cd7fac0efbda76b5e2388a027681
SHA256bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac
SHA5122380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964
-
\Users\Admin\AppData\Local\Temp\_MEI15522\unicodedata.pydMD5
c5334880576bbc751b20f6bd4baba992
SHA1ebd8b76221d4dad9931aabcbb0434752280a99d1
SHA256e5ebcc99f94766951bb75731afe07b7c4481e7ff3d252f21d39ddea7c8da4147
SHA51208c964acd3064edf0210d6f12fe55896030756537b7e272c8e0f9b5e5606a6ed91094febabe3eadef51426bd6e4b06039cd9aa41a7756671edcac84684dfabb4
-
memory/1532-54-0x0000000000000000-mapping.dmp
-
memory/1552-53-0x000007FEFC391000-0x000007FEFC393000-memory.dmpFilesize
8KB