fe8141ad1869a8ac34a4c258ce4c62d09ede71e1ea9f819c22e954aee473df4d

General

Target

Payment receipt.pdf.exe
Size

821KB
MD5

b23c8de2a3a56e2fb8bacb085dbd9d19
SHA1

5957dbee0b2b200110787aac267be09bcecbeda2
SHA256

027eae741aaf031d2edcdc08920457e4c2e641c33847d67705d791f124b7781e
SHA512

a696b8e4cdbca841f2ecae342d8aa61c9ac9adc0849e69c715f3f3ce7b5195711bf4a22ad8c2add5bf1962d6a6cb18b751abbe73711699bce59199bd09ad2a63

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Payment receipt.pdf.exe

pid	process
948	Payment receipt.pdf.exe
948	Payment receipt.pdf.exe
948	Payment receipt.pdf.exe
948	Payment receipt.pdf.exe
948	Payment receipt.pdf.exe
948	Payment receipt.pdf.exe
948	Payment receipt.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Payment receipt.pdf.exe

description pid process

Token: SeDebugPrivilege 948 Payment receipt.pdf.exe

description	pid	process
Token: SeDebugPrivilege	948	Payment receipt.pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Payment receipt.pdf.exe

description	pid	process	target process
PID 948 wrote to memory of 468	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 468	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 468	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 468	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 524	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 524	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 524	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 524	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 744	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 744	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 744	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 744	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 308	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 308	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 308	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 308	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 856	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 856	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 856	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 856	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
2⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
2⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
2⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
2⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
2⤵
PID:856

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-53-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/948-55-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/948-56-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/948-57-0x0000000005410000-0x0000000005492000-memory.dmp

Filesize
520KB

Download
memory/948-58-0x0000000001EC0000-0x0000000001EF0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads