f3e316f6fd4ae963b581ccbd173334387fc4700cd7f4bc09e664c94c1df228c8

General

Target

Payment Advise 201223 pdf.exe
Size

951KB
MD5

43e62f55ca87bca9958904980c6a739e
SHA1

8049cf6db6349ce872022bf7c25ecc392946fc65
SHA256

860a1dfc03c5420e2fc343a66434075b286deb3ecb03134486d24c18ef60687d
SHA512

62471d5d804a8a807d69e0db7b298ae785d7036e165ba6e0d09d50fce6aa7719e36d1f81c3f139a254c7e4dc55e2b36b5ba6e0c38b380be586ad646b59adda97
SSDEEP

12288:LyXbgBFhPQN39BnbG5WKb6M8rePfIs7ReZei:KgBFyJfnq5WKb6M8reoIReZ9

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 2952 set thread context of 1212	2952	Payment Advise 201223 pdf.exe	12
PID 2952 set thread context of 2272	2952	Payment Advise 201223 pdf.exe	31
PID 2272 set thread context of 1212	2272	mcbuilder.exe	12

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1692	Payment Advise 201223 pdf.exe
1692	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2952	Payment Advise 201223 pdf.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe
2272	mcbuilder.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2952	Payment Advise 201223 pdf.exe
1212	Explorer.EXE
1212	Explorer.EXE
2272	mcbuilder.exe
2272	mcbuilder.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	Payment Advise 201223 pdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 1692 wrote to memory of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 1692 wrote to memory of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 1692 wrote to memory of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 1692 wrote to memory of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 1692 wrote to memory of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 1692 wrote to memory of 2952	1692	Payment Advise 201223 pdf.exe	28
PID 1212 wrote to memory of 2272	1212	Explorer.EXE	31
PID 1212 wrote to memory of 2272	1212	Explorer.EXE	31
PID 1212 wrote to memory of 2272	1212	Explorer.EXE	31
PID 1212 wrote to memory of 2272	1212	Explorer.EXE	31

C:\Users\Admin\AppData\Local\Temp\Payment Advise 201223 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advise 201223 pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\Payment Advise 201223 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Advise 201223 pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\mcbuilder.exe
  "C:\Windows\SysWOW64\mcbuilder.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-20-0x0000000008C10000-0x000000000BC30000-memory.dmp

Filesize
48.1MB

Download
memory/1212-28-0x0000000008C10000-0x000000000BC30000-memory.dmp

Filesize
48.1MB

Download
memory/1692-14-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-1-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-2-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1692-3-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/1692-4-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/1692-5-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/1692-6-0x00000000052B0000-0x000000000532E000-memory.dmp

Filesize
504KB

Download
memory/1692-0-0x0000000000AB0000-0x0000000000BA4000-memory.dmp

Filesize
976KB

Download
memory/2272-29-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2272-27-0x0000000000490000-0x000000000052A000-memory.dmp

Filesize
616KB

Download
memory/2272-26-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2272-25-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/2272-30-0x0000000000490000-0x000000000052A000-memory.dmp

Filesize
616KB

Download
memory/2272-22-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2272-21-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2952-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-19-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2952-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-24-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2952-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-15-0x0000000000BB0000-0x0000000000EB3000-memory.dmp

Filesize
3.0MB

Download
memory/2952-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing