Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-12-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
PEDIDO pdf.exe
Resource
win7-20220812-en
General
-
Target
PEDIDO pdf.exe
-
Size
752KB
-
MD5
e3698fc9d5c6152297de00168360d550
-
SHA1
eb53bcf6fd90162cc5b3d74fd018e6a981919c43
-
SHA256
26166c41b0a5364406a3c3f9c42d3f2bc3786aa5f32c71ee0675773bd7cc2125
-
SHA512
7c3c6c80fbda902fbde5ff554147852295d7c9508f4237ca3fba8ce03e7ae94cabb8d259f01dcd029036c5b7e845ac6c657a7638b5e9319ff66f6f298d9e55f2
-
SSDEEP
12288:mUdLctyTcf0hA/p4f2MjHJJY90LmRO1oTznmbhMGg3g43XR8:0UT40a/p4f2QLmEiTznmbvg3R3XR8
Malware Config
Extracted
formbook
asdo
31/RFVD/FFkpCuo=
LS2evkT1Hf54yJ3A01ZhjLFKSw==
Dw25w8eoM4HRQ9T8YA==
F2rI9TgH1uCf
VOuuxD/qTPifG/QDJ76coQ==
9smUEHwvvAcD3rnTM3IZg7fh
k4RlZq6jXYrfEg==
1+E7QsiGloB8qoio4Oh/
dALS/H0nMg+jCtM1RpZ+
thNv9GMouDLIFvESJ76coQ==
Tc54uifIU66mck2hvrtXnVbp
cINUAYgiqlkpCuo=
ma2AwPyPmpxd2bPRMksak0T7uEg9kA==
RlMlYJ9UpFIz7dg1RpZ+
klG+mNmHrHcFhmZ12SNGhmN+0f6MaMs=
V/nT2VgHD+hito+tBumEzTyVl5g=
0Zto8FjseN7v8MAW6ZkZg7fh
gbGlkddlXYrfEg==
pymXGHouvjhnKg8+qD8bLcY=
VelU01Tk/+CzegtywL4=
beu8i8uQo444B/I=
l1M5dadWfFDeV+s9sqk=
/dYkHYIfGV7iGA==
yI9kAZU8sDb2xrLNME4qL1L8A1UDR0OUTA==
Kfe3Bk7moSq5R+T9SYR9qQ==
qOu+wD/TXqzjQ9T8YA==
gwj+jqGpw1nLC/0=
AossQ3UoIIdVQaw8Qrt39kyJVA==
8LSKJa5YfmQ89cT/ecbD8xsqqOY2WJHY
0B3g3lkKOCTyMP4Y
wsAuMK9S5GDVQ9T8YA==
MWg6ADHDUNx798o1RpZ+
+72b1gyswJlV+Nc1RpZ+
Sw3lduGKXYrfEg==
80+uIIs4wk0fHfc=
pD8e4SDKUbj08LYZJnmGrg==
xxTq1hvSAQGl6Nf8PpOhCN12a4U=
YqmMV6xd71Cj38P0TZSIzjyVl5g=
dvNQ4FX8oersPiFXxNd2
LQfLIFcA+NFGmnSu/Wd6s03ye5CxR0OUTA==
qwNh7W8Yp1kpCuo=
BVci+UD6CS+lIfca
EAPiDT3fBA7wuI28CTu0J9E=
cLWLnh7W7vPyMP4Y
AIvnULNVyjd7rUx3wbw=
4eNBGEvs69ru8Lz+J76coQ==
xij4yO2DJIbQQ9T8YA==
DtnMDfkH1uCf
Vdm1hqpJVmckmGyb+xHn6yvMWKdbtz/X
6suQ4TbR5PHHaTNdwBoyUXqbrulBPsU=
iUJfoPR8XYrfEg==
1dg8GFYOGfbyMP4Y
jJZbru2GpG/VQ9T8YA==
BYtrRoA53ixudFOW/ju0J9E=
t0YlD4JO+WejmX6b7Du0J9E=
SBd2efu0XOnu/+g=
lSmLCnwmxiAe/MvoOVYzPjyVl5g=
BhFhVLlkzKEOQ9T8YA==
HeW78yHca87Xtpy7GGFep077uEg9kA==
aTobtETW3LLDMhpFkItevrdLQw==
laVzGpVKyTx+bQtywL4=
QDubmhTJgQ0OHvc=
K6PvmaTA4K0TQ9T8YA==
5/FSIl39tjnJF/ISJ76coQ==
somosterraingenieria.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 1708 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PEDIDO pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation PEDIDO pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1708 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
PEDIDO pdf.exePEDIDO pdf.exerundll32.exedescription pid process target process PID 1992 set thread context of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 828 set thread context of 1232 828 PEDIDO pdf.exe Explorer.EXE PID 828 set thread context of 1232 828 PEDIDO pdf.exe Explorer.EXE PID 1708 set thread context of 1232 1708 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
PEDIDO pdf.exerundll32.exepid process 828 PEDIDO pdf.exe 828 PEDIDO pdf.exe 828 PEDIDO pdf.exe 828 PEDIDO pdf.exe 828 PEDIDO pdf.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
PEDIDO pdf.exerundll32.exepid process 828 PEDIDO pdf.exe 828 PEDIDO pdf.exe 828 PEDIDO pdf.exe 828 PEDIDO pdf.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PEDIDO pdf.exerundll32.exedescription pid process Token: SeDebugPrivilege 828 PEDIDO pdf.exe Token: SeDebugPrivilege 1708 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
PEDIDO pdf.exePEDIDO pdf.exerundll32.exedescription pid process target process PID 1992 wrote to memory of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 1992 wrote to memory of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 1992 wrote to memory of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 1992 wrote to memory of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 1992 wrote to memory of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 1992 wrote to memory of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 1992 wrote to memory of 828 1992 PEDIDO pdf.exe PEDIDO pdf.exe PID 828 wrote to memory of 1708 828 PEDIDO pdf.exe rundll32.exe PID 828 wrote to memory of 1708 828 PEDIDO pdf.exe rundll32.exe PID 828 wrote to memory of 1708 828 PEDIDO pdf.exe rundll32.exe PID 828 wrote to memory of 1708 828 PEDIDO pdf.exe rundll32.exe PID 828 wrote to memory of 1708 828 PEDIDO pdf.exe rundll32.exe PID 828 wrote to memory of 1708 828 PEDIDO pdf.exe rundll32.exe PID 828 wrote to memory of 1708 828 PEDIDO pdf.exe rundll32.exe PID 1708 wrote to memory of 2036 1708 rundll32.exe Firefox.exe PID 1708 wrote to memory of 2036 1708 rundll32.exe Firefox.exe PID 1708 wrote to memory of 2036 1708 rundll32.exe Firefox.exe PID 1708 wrote to memory of 2036 1708 rundll32.exe Firefox.exe PID 1708 wrote to memory of 2036 1708 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe"C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe"C:\Users\Admin\AppData\Local\Temp\PEDIDO pdf.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
831KB
MD505ace2f6d9bef6fd9bbd05ee5262a1f2
SHA15cce2228e0d9c6cc913cf551e0bf7c76ed74ff59
SHA256002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc
SHA5121e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc
-
memory/828-70-0x0000000000190000-0x00000000001A0000-memory.dmpFilesize
64KB
-
memory/828-77-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/828-69-0x0000000000A40000-0x0000000000D43000-memory.dmpFilesize
3.0MB
-
memory/828-73-0x00000000001D0000-0x00000000001E0000-memory.dmpFilesize
64KB
-
memory/828-76-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-64-0x00000000004012B0-mapping.dmp
-
memory/828-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/828-68-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1232-83-0x0000000005F20000-0x000000000601D000-memory.dmpFilesize
1012KB
-
memory/1232-74-0x0000000003DE0000-0x0000000003E93000-memory.dmpFilesize
716KB
-
memory/1232-85-0x0000000005F20000-0x000000000601D000-memory.dmpFilesize
1012KB
-
memory/1232-71-0x00000000026E0000-0x00000000027AC000-memory.dmpFilesize
816KB
-
memory/1708-80-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1708-75-0x0000000000000000-mapping.dmp
-
memory/1708-81-0x0000000002120000-0x0000000002423000-memory.dmpFilesize
3.0MB
-
memory/1708-79-0x0000000000D10000-0x0000000000D1E000-memory.dmpFilesize
56KB
-
memory/1708-84-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1708-82-0x0000000000A60000-0x0000000000AEF000-memory.dmpFilesize
572KB
-
memory/1992-56-0x00000000005B0000-0x00000000005C0000-memory.dmpFilesize
64KB
-
memory/1992-58-0x0000000005150000-0x00000000051C0000-memory.dmpFilesize
448KB
-
memory/1992-55-0x00000000754E1000-0x00000000754E3000-memory.dmpFilesize
8KB
-
memory/1992-54-0x0000000000F30000-0x0000000000FF2000-memory.dmpFilesize
776KB
-
memory/1992-59-0x0000000004400000-0x0000000004434000-memory.dmpFilesize
208KB
-
memory/1992-57-0x00000000005E0000-0x00000000005EA000-memory.dmpFilesize
40KB