Analysis
-
max time kernel
128s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-02-2022 18:23
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT SWIFT COPY.pdf.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PAYMENT SWIFT COPY.pdf.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
PAYMENT SWIFT COPY.pdf.exe
-
Size
970KB
-
MD5
fd7ef2eeb906cad24856562a2d2ea4d5
-
SHA1
d15359eb35d6ed3fd7c31044f2f5211309caf535
-
SHA256
6ad339e5764e335403390892ed5461bcc70d63d2575228de85311e5d6878d1f1
-
SHA512
fc9e3b6fc15c6584786da6210020cd3af6f0988254036fa2d630c1f4404015c7013ae7d8db98de3b5ca8413724e353bd1de50a98cd9239813ab825dd14564962
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 3612 svchost.exe Token: SeCreatePagefilePrivilege 3612 svchost.exe Token: SeShutdownPrivilege 3612 svchost.exe Token: SeCreatePagefilePrivilege 3612 svchost.exe Token: SeShutdownPrivilege 3612 svchost.exe Token: SeCreatePagefilePrivilege 3612 svchost.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
PAYMENT SWIFT COPY.pdf.exefondue.exedescription pid process target process PID 4940 wrote to memory of 4756 4940 PAYMENT SWIFT COPY.pdf.exe fondue.exe PID 4940 wrote to memory of 4756 4940 PAYMENT SWIFT COPY.pdf.exe fondue.exe PID 4940 wrote to memory of 4756 4940 PAYMENT SWIFT COPY.pdf.exe fondue.exe PID 4756 wrote to memory of 4240 4756 fondue.exe FonDUE.EXE PID 4756 wrote to memory of 4240 4756 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT COPY.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵PID:4240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3612