Analysis
-
max time kernel
123s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 05:24
Static task
static1
Behavioral task
behavioral1
Sample
Payment receipt.pdf.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
Payment receipt.pdf.exe
-
Size
821KB
-
MD5
b23c8de2a3a56e2fb8bacb085dbd9d19
-
SHA1
5957dbee0b2b200110787aac267be09bcecbeda2
-
SHA256
027eae741aaf031d2edcdc08920457e4c2e641c33847d67705d791f124b7781e
-
SHA512
a696b8e4cdbca841f2ecae342d8aa61c9ac9adc0849e69c715f3f3ce7b5195711bf4a22ad8c2add5bf1962d6a6cb18b751abbe73711699bce59199bd09ad2a63
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Payment receipt.pdf.exepid process 948 Payment receipt.pdf.exe 948 Payment receipt.pdf.exe 948 Payment receipt.pdf.exe 948 Payment receipt.pdf.exe 948 Payment receipt.pdf.exe 948 Payment receipt.pdf.exe 948 Payment receipt.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment receipt.pdf.exedescription pid process Token: SeDebugPrivilege 948 Payment receipt.pdf.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Payment receipt.pdf.exedescription pid process target process PID 948 wrote to memory of 468 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 468 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 468 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 468 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 524 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 524 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 524 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 524 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 744 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 744 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 744 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 744 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 308 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 308 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 308 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 308 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 856 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 856 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 856 948 Payment receipt.pdf.exe Payment receipt.pdf.exe PID 948 wrote to memory of 856 948 Payment receipt.pdf.exe Payment receipt.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/948-53-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/948-55-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/948-56-0x0000000000520000-0x000000000052E000-memory.dmpFilesize
56KB
-
memory/948-57-0x0000000005410000-0x0000000005492000-memory.dmpFilesize
520KB
-
memory/948-58-0x0000000001EC0000-0x0000000001EF0000-memory.dmpFilesize
192KB