38816306d8ef0a7fba0de311f98cd8d5adfd15749a5f4995294ff0c3a34c1e76

General

Target

Dijk Natural Order.pdf_____________________________________________________________________.exe
Size

1.6MB
MD5

e7c451f315b71a66a7664da405c678f4
SHA1

523a306ff0b072ce178b1e6e42336bfad604f3f1
SHA256

797c64ffd02f4ed730fc195028cfe6b82928403e75a94d14f8f8de87510818e0
SHA512

86b725fbdabb35b99963c8689e23240cceb2430ebde0bec2c2ea44b3433fa06fb11c8d73d6f7d4f6bba450cd2f2a331de98e9eb7a50f7726170ba34da484ba5f

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Dijk Natural Order.pdf_____________________________________________________________________.exe

pid process

2772 Dijk Natural Order.pdf_____________________________________________________________________.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Dijk Natural Order.pdf_____________________________________________________________________.exe

description	pid	process	target process
PID 2772 set thread context of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Dijk Natural Order.pdf_____________________________________________________________________.exeDijk Natural Order.pdf_____________________________________________________________________.exepowershell.exe

pid	process
2772	Dijk Natural Order.pdf_____________________________________________________________________.exe
2772	Dijk Natural Order.pdf_____________________________________________________________________.exe
2772	Dijk Natural Order.pdf_____________________________________________________________________.exe
4444	Dijk Natural Order.pdf_____________________________________________________________________.exe
4444	Dijk Natural Order.pdf_____________________________________________________________________.exe
4180	powershell.exe
4180	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Dijk Natural Order.pdf_____________________________________________________________________.exeDijk Natural Order.pdf_____________________________________________________________________.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe
Token: SeDebugPrivilege	4444	Dijk Natural Order.pdf_____________________________________________________________________.exe
Token: SeDebugPrivilege	4180	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Dijk Natural Order.pdf_____________________________________________________________________.exeDijk Natural Order.pdf_____________________________________________________________________.execmd.exe

description	pid	process	target process
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 2772 wrote to memory of 4444	2772	Dijk Natural Order.pdf_____________________________________________________________________.exe	Dijk Natural Order.pdf_____________________________________________________________________.exe
PID 4444 wrote to memory of 2136	4444	Dijk Natural Order.pdf_____________________________________________________________________.exe	cmd.exe
PID 4444 wrote to memory of 2136	4444	Dijk Natural Order.pdf_____________________________________________________________________.exe	cmd.exe
PID 4444 wrote to memory of 2136	4444	Dijk Natural Order.pdf_____________________________________________________________________.exe	cmd.exe
PID 2136 wrote to memory of 4180	2136	cmd.exe	powershell.exe
PID 2136 wrote to memory of 4180	2136	cmd.exe	powershell.exe
PID 2136 wrote to memory of 4180	2136	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Dijk Natural Order.pdf_____________________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Dijk Natural Order.pdf_____________________________________________________________________.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\Dijk Natural Order.pdf_____________________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Dijk Natural Order.pdf_____________________________________________________________________.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Dijk Natural Order.pdf_____________________________________________________________________.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Dijk Natural Order.pdf_____________________________________________________________________.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dijk Natural Order.pdf_____________________________________________________________________.exe.log
Filesize
1KB

MD5
fc13935f3038bdde6cb484249fbff668

SHA1
a4c32013e6d59bf1eb1a5119456965de191e62b8

SHA256
de064c569a5f4edaf2da91d7bcb82bab06a35190b699cede1da0aa616a23d676

SHA512
5817275af0f8a48eb1e008d39f62fb3582db9a2d21a806e9f9ee36fbfd799fb17e91f0e3686f4b236724fe78f14ae7f40cd3755f0ec0fb6734ce42f996b798f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/2136-139-0x0000000000000000-mapping.dmp

Download
memory/2772-132-0x00000000731F0000-0x0000000073279000-memory.dmp

Filesize
548KB

Download
memory/2772-133-0x0000000006290000-0x0000000006834000-memory.dmp

Filesize
5.6MB

Download
memory/2772-134-0x0000000005DC0000-0x0000000005E52000-memory.dmp

Filesize
584KB

Download
memory/2772-130-0x00000000006E0000-0x0000000000882000-memory.dmp

Filesize
1.6MB

Download
memory/4180-145-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/4180-144-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/4180-150-0x0000000006890000-0x00000000068B2000-memory.dmp

Filesize
136KB

Download
memory/4180-149-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/4180-141-0x0000000000000000-mapping.dmp

Download
memory/4180-142-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download
memory/4180-143-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/4180-148-0x00000000067D0000-0x00000000067EA000-memory.dmp

Filesize
104KB

Download
memory/4180-147-0x0000000007920000-0x0000000007F9A000-memory.dmp

Filesize
6.5MB

Download
memory/4180-146-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/4444-135-0x0000000000000000-mapping.dmp

Download
memory/4444-138-0x0000000005140000-0x00000000051A6000-memory.dmp

Filesize
408KB

Download
memory/4444-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4444-137-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads