Analysis Overview
SHA256
9b26547086a1489e5534452021694af3a565fe76926e671112be4852947a5d27
Threat Level: Known bad
The file IMG_106_680_74_80.pdf was found to be: Known bad.
Malicious Activity Summary
Oski
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-04-11 03:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-11 03:14
Reported
2022-04-11 03:52
Platform
win7-20220331-en
Max time kernel
53s
Max time network
45s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe"
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
Network
Files
memory/800-54-0x00000000003B0000-0x0000000000412000-memory.dmp
memory/800-55-0x00000000005A0000-0x00000000005AA000-memory.dmp
memory/800-56-0x0000000001E70000-0x0000000001E94000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-11 03:14
Reported
2022-04-11 03:52
Platform
win10v2004-20220331-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Oski
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4616 set thread context of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe | C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe"
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Users\Admin\AppData\Local\Temp\IMG_106_680_74_80.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 236
Network
| Country | Destination | Domain | Proto |
| FI | 62.115.252.81:80 | tcp | |
| US | 67.26.15.254:80 | tcp | |
| US | 67.26.15.254:80 | tcp | |
| FI | 67.27.205.126:80 | tcp | |
| NL | 20.190.160.9:443 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 20.42.65.88:443 | tcp | |
| US | 67.26.11.254:80 | tcp | |
| RU | 23.196.236.89:80 | tcp | |
| RU | 23.196.236.89:80 | tcp | |
| US | 67.26.15.254:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 131.253.33.203:80 | tcp | |
| US | 67.26.15.254:60723 | tcp | |
| US | 67.26.15.254:60701 | tcp | |
| US | 67.26.15.254:63650 | tcp | |
| US | 67.26.15.254:9119 | tcp | |
| US | 67.26.15.254:39152 | tcp | |
| US | 67.26.15.254:60378 | tcp | |
| US | 67.26.15.254:20849 | tcp | |
| US | 67.26.15.254:44419 | tcp | |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 67.26.15.254:17468 | tcp | |
| US | 67.26.15.254:54251 | tcp | |
| US | 67.26.15.254:43440 | tcp | |
| US | 67.26.15.254:50954 | tcp | |
| US | 67.26.15.254:18892 | tcp | |
| US | 67.26.15.254:63409 | tcp | |
| US | 67.26.15.254:5019 | tcp | |
| US | 67.26.15.254:41637 | tcp | |
| US | 67.26.15.254:55117 | tcp | |
| US | 67.26.15.254:32597 | tcp | |
| US | 67.26.15.254:43171 | tcp | |
| US | 67.26.15.254:2128 | tcp | |
| US | 67.26.15.254:18042 | tcp | |
| US | 67.26.15.254:3550 | tcp | |
| US | 67.26.15.254:41672 | tcp | |
| US | 67.26.15.254:41048 | tcp | |
| US | 67.26.15.254:37917 | tcp | |
| US | 67.26.15.254:15372 | tcp | |
| US | 67.26.15.254:10670 | tcp | |
| US | 67.26.15.254:39238 | tcp | |
| US | 67.26.15.254:22262 | tcp | |
| US | 67.26.15.254:44157 | tcp | |
| US | 67.26.15.254:30359 | tcp | |
| US | 67.26.15.254:31197 | tcp | |
| US | 67.26.15.254:10411 | tcp | |
| US | 67.26.15.254:47579 | tcp | |
| US | 67.26.15.254:54711 | tcp | |
| US | 67.26.15.254:5299 | tcp | |
| US | 67.26.15.254:61775 | tcp | |
| US | 67.26.15.254:57770 | tcp | |
| US | 67.26.15.254:24752 | tcp | |
| US | 67.26.15.254:809 | tcp | |
| US | 67.26.15.254:39374 | tcp | |
| US | 67.26.15.254:44277 | tcp | |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| NL | 104.110.191.133:80 | tcp | |
| US | 67.26.15.254:80 | tcp |
Files
memory/4616-124-0x00000000001D0000-0x0000000000232000-memory.dmp
memory/4616-125-0x0000000004C10000-0x0000000004C86000-memory.dmp
memory/4616-126-0x0000000004BC0000-0x0000000004BDE000-memory.dmp
memory/3036-127-0x0000000000000000-mapping.dmp
memory/3036-128-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3036-129-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3036-130-0x0000000000400000-0x0000000000438000-memory.dmp