e16b85d67c2d3055e9c53debe56cef62a44ed096a6ff9702b7d09d0acbfc6619

General

Target

pdf_a_informação_sobre_a_sua_encomenda.exe
Size

283KB
MD5

530c28d9304996edc2ac21815703fc8d
SHA1

734a2b179c47df7e05da5fd8e28cbb53f20cb35e
SHA256

294176e0c72c90510fa3e5f261e35ac68c4f95921dea4e0ada8ff5f93b6dd980
SHA512

a77e664bbff70da3fdd6ed2445f4b99ef4bccf9f606bfc7d6c2d21895e95df0380546dba368c5c6d52393f179cf74154e9e3b12fbab9e3c1a8d536c533dc03c4
SSDEEP

6144:L1Q5ws/aGsZlW451HODbN3a8+xH+TW6tzsncTO9m:m5x/aGMz504RxH+T5scx

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

pdf_a_informação_sobre_a_sua_encomenda.exe

description	pid	process	target process
PID 536 set thread context of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

pdf_a_informação_sobre_a_sua_encomenda.exeattrib.exe

pid process

956 pdf_a_informação_sobre_a_sua_encomenda.exe
1772 attrib.exe
1772 attrib.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

attrib.exe

pid process

1772 attrib.exe

pid	process
956	pdf_a_informação_sobre_a_sua_encomenda.exe
1772	attrib.exe
1772	attrib.exe

pid	process
1772	attrib.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

pdf_a_informação_sobre_a_sua_encomenda.exepdf_a_informação_sobre_a_sua_encomenda.exeattrib.exe

description	pid	process	target process
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 536 wrote to memory of 956	536	pdf_a_informação_sobre_a_sua_encomenda.exe	pdf_a_informação_sobre_a_sua_encomenda.exe
PID 956 wrote to memory of 1772	956	pdf_a_informação_sobre_a_sua_encomenda.exe	attrib.exe
PID 956 wrote to memory of 1772	956	pdf_a_informação_sobre_a_sua_encomenda.exe	attrib.exe
PID 956 wrote to memory of 1772	956	pdf_a_informação_sobre_a_sua_encomenda.exe	attrib.exe
PID 956 wrote to memory of 1772	956	pdf_a_informação_sobre_a_sua_encomenda.exe	attrib.exe
PID 956 wrote to memory of 1772	956	pdf_a_informação_sobre_a_sua_encomenda.exe	attrib.exe
PID 1772 wrote to memory of 1684	1772	attrib.exe	explorer.exe
PID 1772 wrote to memory of 1684	1772	attrib.exe	explorer.exe
PID 1772 wrote to memory of 1684	1772	attrib.exe	explorer.exe
PID 1772 wrote to memory of 1684	1772	attrib.exe	explorer.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1772 attrib.exe

pid	process
1772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\pdf_a_informação_sobre_a_sua_encomenda.exe
"C:\Users\Admin\AppData\Local\Temp\pdf_a_informação_sobre_a_sua_encomenda.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\pdf_a_informação_sobre_a_sua_encomenda.exe
"C:\Users\Admin\AppData\Local\Temp\pdf_a_informação_sobre_a_sua_encomenda.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\attrib.exe
attrib.exe
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Views/modifies file attributes
PID:1772

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uswtohaw\ygiraqen.dat
Filesize
489KB

MD5
b78ba4550a3f1a21fb4b90ae95efc1d3

SHA1
c3dccc7c1162687243144a37f89f2e024d8db07f

SHA256
8490f436358abc5daa13f140540efe4b28b7b2ef08c165c0254109a80730b351

SHA512
64f5a33a5df758422fd0e0e3b477d53a1cf7c194c963bbc412eb2aa19094f887814a9a8f6b9553501fbcbe6b00228716b2b8117fdbd737639ebf5531173b10fb

Download Submit
memory/536-65-0x00000000046D0000-0x00000000046D3000-memory.dmp

Filesize
12KB

Download
memory/536-55-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/536-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/536-68-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/956-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-63-0x00000000009191FE-mapping.dmp

Download
memory/956-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-74-0x0000000002650000-0x0000000002674000-memory.dmp

Filesize
144KB

Download
memory/1684-76-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1772-73-0x0000000000180000-0x00000000001D1000-memory.dmp

Filesize
324KB

Download
memory/1772-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing