Analysis
-
max time kernel
91s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:21
Static task
static1
Behavioral task
behavioral1
Sample
Company Presentation~pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Company Presentation~pdf.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Infrared Thermometer~pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Infrared Thermometer~pdf.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Mask samples & qty needed~pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Mask samples & qty needed~pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Mask samples & qty needed~pdf.exe
-
Size
1.2MB
-
MD5
cbc2a4c4b531711337eb807fbd082adc
-
SHA1
f9114fe1e6ebe680831900fce56fde5ed2a748eb
-
SHA256
2ae247545c4291da9b83ad9ba0c6af00bd80c896a3fb9fafd028e09444bf3baf
-
SHA512
e5649d648c989049af1dd13c12f397483935d019e93e655801f51f642f7db8bd536c945b4ef92a1f46ff73e8e8952ddb397857c935408e52862543c0a58a92e2
Malware Config
Extracted
Protocol: smtp- Host:
mapi.diplemailsrvr.com - Port:
587 - Username:
[email protected] - Password:
Banachi@1974
Signatures
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Mask samples & qty needed~pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfuoM = "C:\\JVJHUWZP\\OfuoMN\\OfuoMNeUP.vbs" Mask samples & qty needed~pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Mask samples & qty needed~pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Mask samples & qty needed~pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Mask samples & qty needed~pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Mask samples & qty needed~pdf.exedescription pid process target process PID 4080 set thread context of 4100 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 4100 InstallUtil.exe 4100 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Mask samples & qty needed~pdf.exepid process 4080 Mask samples & qty needed~pdf.exe 4080 Mask samples & qty needed~pdf.exe 4080 Mask samples & qty needed~pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 4100 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 4100 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Mask samples & qty needed~pdf.exeInstallUtil.exedescription pid process target process PID 4080 wrote to memory of 3300 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 3300 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 3300 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 4128 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 4128 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 4128 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 4100 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 4100 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 4100 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4080 wrote to memory of 4100 4080 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 4100 wrote to memory of 3204 4100 InstallUtil.exe REG.exe PID 4100 wrote to memory of 3204 4100 InstallUtil.exe REG.exe PID 4100 wrote to memory of 3204 4100 InstallUtil.exe REG.exe PID 4100 wrote to memory of 4380 4100 InstallUtil.exe netsh.exe PID 4100 wrote to memory of 4380 4100 InstallUtil.exe netsh.exe PID 4100 wrote to memory of 4380 4100 InstallUtil.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mask samples & qty needed~pdf.exe"C:\Users\Admin\AppData\Local\Temp\Mask samples & qty needed~pdf.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3204-135-0x0000000000000000-mapping.dmp
-
memory/4080-130-0x0000000000D00000-0x0000000000E30000-memory.dmpFilesize
1.2MB
-
memory/4080-131-0x0000000005DE0000-0x0000000006384000-memory.dmpFilesize
5.6MB
-
memory/4080-133-0x0000000005780000-0x0000000005783000-memory.dmpFilesize
12KB
-
memory/4100-132-0x0000000000000000-mapping.dmp
-
memory/4100-134-0x0000000071E70000-0x0000000072421000-memory.dmpFilesize
5.7MB
-
memory/4380-136-0x0000000000000000-mapping.dmp