Overview
overview
10Static
static
8BL. NO. AN...21.exe
windows7_x64
10BL. NO. AN...21.exe
windows10_x64
10Sample_101...mg.exe
windows7_x64
10Sample_101...mg.exe
windows10_x64
10Invoice 19...df.exe
windows7_x64
1Invoice 19...df.exe
windows10_x64
10Leak/PROFO...CE.doc
windows7_x64
10Leak/PROFO...CE.doc
windows10_x64
1Payment re...df.exe
windows7_x64
10Payment re...df.exe
windows10_x64
10Leak/Profo...mg.xls
windows7_x64
10Leak/Profo...mg.xls
windows10_x64
10Analysis
-
max time kernel
561s -
max time network
606s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 07:00
Static task
static1
Behavioral task
behavioral1
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Leak/PROFORMA INVOICE.doc
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
Leak/PROFORMA INVOICE.doc
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
Payment receipt.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Payment receipt.pdf.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
Leak/Proforma invoice35117img.xls
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
Leak/Proforma invoice35117img.xls
Resource
win10-en-20210920
General
-
Target
Invoice 1905-20-1907-20.pdf.exe
-
Size
742KB
-
MD5
d40d05b8b73fb36ca9ae679997decbf7
-
SHA1
1099139b29753b0308fd3729a1b0a894fb98b94e
-
SHA256
9509214ef8fd1704c88aebdd75cf26345735cf6901af44de6038dce4e4d46f34
-
SHA512
6c6388214929c2d094584c8ddfe5b116ff6c250e2c32f161d5328a258191e115fca6a10275e7e366a7ab976116e2b2406dbc699c4a5287aac39ee127657d900b
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Invoice 1905-20-1907-20.pdf.exepid process 1112 Invoice 1905-20-1907-20.pdf.exe 1112 Invoice 1905-20-1907-20.pdf.exe 1112 Invoice 1905-20-1907-20.pdf.exe 1112 Invoice 1905-20-1907-20.pdf.exe 1112 Invoice 1905-20-1907-20.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Invoice 1905-20-1907-20.pdf.exedescription pid process Token: SeDebugPrivilege 1112 Invoice 1905-20-1907-20.pdf.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Invoice 1905-20-1907-20.pdf.exedescription pid process target process PID 1112 wrote to memory of 960 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 960 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 960 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 960 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1724 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1724 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1724 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1724 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1728 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1728 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1728 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1728 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1564 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1564 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1564 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1564 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1608 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1608 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1608 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe PID 1112 wrote to memory of 1608 1112 Invoice 1905-20-1907-20.pdf.exe Invoice 1905-20-1907-20.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"2⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"2⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"2⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"2⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 1905-20-1907-20.pdf.exe"2⤵PID:1608