Analysis
-
max time kernel
592s -
max time network
616s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
10-08-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
Document.pdf.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
Document.pdf.exe
Resource
win10v2004-20220721-en
General
-
Target
Document.pdf.exe
-
Size
362.9MB
-
MD5
23531c33d025a8e7466511284ecaf046
-
SHA1
f93032d253b36df7a339a22bacfd3aaf2827a1af
-
SHA256
9d7f63ff52fbd0c5850a599fc8e3b6999fc93b742333d85275db9ee547c4348a
-
SHA512
3430525b0a078bd3e2af8e5c1ffc2b99319487d9736924c98a937a771aeb26908f711a01ea1208553f29e11f146d12285fbca53b71209e00668e023af7fc51a8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SETUP_~2.EXEpid process 1584 SETUP_~2.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Document.pdf.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Document.pdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Document.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SETUP_~2.EXEdescription pid process Token: SeDebugPrivilege 1584 SETUP_~2.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Document.pdf.exedescription pid process target process PID 1672 wrote to memory of 1584 1672 Document.pdf.exe SETUP_~2.EXE PID 1672 wrote to memory of 1584 1672 Document.pdf.exe SETUP_~2.EXE PID 1672 wrote to memory of 1584 1672 Document.pdf.exe SETUP_~2.EXE PID 1672 wrote to memory of 1584 1672 Document.pdf.exe SETUP_~2.EXE PID 1672 wrote to memory of 1584 1672 Document.pdf.exe SETUP_~2.EXE PID 1672 wrote to memory of 1584 1672 Document.pdf.exe SETUP_~2.EXE PID 1672 wrote to memory of 1584 1672 Document.pdf.exe SETUP_~2.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Document.pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXEFilesize
333.8MB
MD5eb7ff434c93e6bf312ad028178e25183
SHA1bbea766fe135a3ef4e9e13f3e5c933a22a9adeed
SHA2567b4b6a198ec51d960953b6b973985096fa796927fdd1b0552e7455a725c2ea0b
SHA51256ce9597203a3b960d0824036dfa693f31d81815effdeecc843c7d1d0c4e8c71396d5bb232cc39eff34fefce1eac29d7753cc19f2f0873690bba8ce853d3a874
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXEFilesize
333.8MB
MD5eb7ff434c93e6bf312ad028178e25183
SHA1bbea766fe135a3ef4e9e13f3e5c933a22a9adeed
SHA2567b4b6a198ec51d960953b6b973985096fa796927fdd1b0552e7455a725c2ea0b
SHA51256ce9597203a3b960d0824036dfa693f31d81815effdeecc843c7d1d0c4e8c71396d5bb232cc39eff34fefce1eac29d7753cc19f2f0873690bba8ce853d3a874
-
memory/1584-54-0x0000000000000000-mapping.dmp
-
memory/1584-57-0x0000000000370000-0x0000000000380000-memory.dmpFilesize
64KB
-
memory/1584-58-0x0000000076291000-0x0000000076293000-memory.dmpFilesize
8KB