ca5902ad221da0095483c07a92712b8d6cd9e7c5733b99dd9d7e8ce4e40bef16

General

Target

WSI20220629_ContractWSI142121Copy001_pdf.exe
Size

523KB
MD5

f44df8e521612af374436c38e064d7cb
SHA1

cc3fbff8f4fde3b36b52a9884861742630581fa9
SHA256

ca5902ad221da0095483c07a92712b8d6cd9e7c5733b99dd9d7e8ce4e40bef16
SHA512

3d2c17896fb66cfc1d2ef55ab1607b7deb43a29103abb6fdd218f9617634e3159257906d92dfb6bf3078580632a1e09bcb7dc71599ef64151bad4320de76b9d8

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WSI20220629_ContractWSI142121Copy001_pdf.exe

pid	process
1076	WSI20220629_ContractWSI142121Copy001_pdf.exe
1076	WSI20220629_ContractWSI142121Copy001_pdf.exe
1076	WSI20220629_ContractWSI142121Copy001_pdf.exe
1076	WSI20220629_ContractWSI142121Copy001_pdf.exe
1076	WSI20220629_ContractWSI142121Copy001_pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WSI20220629_ContractWSI142121Copy001_pdf.exe

description pid process

Token: SeDebugPrivilege 1076 WSI20220629_ContractWSI142121Copy001_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WSI20220629_ContractWSI142121Copy001_pdf.exe

C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe"
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe"
2⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe"
2⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe"
2⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\WSI20220629_ContractWSI142121Copy001_pdf.exe"
2⤵
PID:1164

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-54-0x0000000000380000-0x000000000040A000-memory.dmp

Filesize
552KB

Download
memory/1076-55-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1076-56-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/1076-57-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1076-58-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/1076-59-0x0000000000930000-0x0000000000950000-memory.dmp

Filesize
128KB

Download

description	pid	process	target process
PID 1076 wrote to memory of 1936	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1936	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1936	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1936	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1348	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1348	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1348	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1348	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1212	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1212	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1212	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1212	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1136	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1136	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1136	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1136	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1164	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1164	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1164	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe
PID 1076 wrote to memory of 1164	1076	WSI20220629_ContractWSI142121Copy001_pdf.exe	WSI20220629_ContractWSI142121Copy001_pdf.exe

Analysis

Sharing