Analysis
-
max time kernel
53s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:38
Static task
static1
Behavioral task
behavioral1
Sample
Payment swift copy.pdf.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Payment swift copy.pdf.exe
-
Size
1.3MB
-
MD5
db30aa1c0eb9d07f3e7e966acc690898
-
SHA1
4495b0f386ee54919a46aa911ddc1b4931ca2d8a
-
SHA256
5176a48afec98e65c46b54977d76a78f20d8bd4333ca64285495a05862d6749b
-
SHA512
2df235a40d63efb26903e4b494959a7daef059985d3043d34eaa2aa2e3103c0e187bc9def392e3768580ff4ce6aab098a79af105c423bf0bd5b601f8232aa047
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment swift copy.pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment swift copy.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment swift copy.pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment swift copy.pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment swift copy.pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Payment swift copy.pdf.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Payment swift copy.pdf.exepid process 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe 1744 Payment swift copy.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment swift copy.pdf.exedescription pid process Token: SeDebugPrivilege 1744 Payment swift copy.pdf.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Payment swift copy.pdf.exedescription pid process target process PID 1744 wrote to memory of 696 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 696 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 696 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 696 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1424 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1424 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1424 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1424 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1004 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1004 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1004 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1004 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1784 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1784 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1784 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 1784 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 772 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 772 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 772 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe PID 1744 wrote to memory of 772 1744 Payment swift copy.pdf.exe Payment swift copy.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment swift copy.pdf.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1744-54-0x00000000003C0000-0x000000000051C000-memory.dmpFilesize
1.4MB
-
memory/1744-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1744-56-0x0000000000290000-0x000000000029A000-memory.dmpFilesize
40KB
-
memory/1744-57-0x0000000007C10000-0x0000000007D38000-memory.dmpFilesize
1.2MB
-
memory/1744-58-0x0000000007E30000-0x0000000007FD2000-memory.dmpFilesize
1.6MB