Analysis
-
max time kernel
118s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 12:46
Behavioral task
behavioral1
Sample
PDFextractor.exe
Resource
win7-20231215-en
General
-
Target
PDFextractor.exe
-
Size
705KB
-
MD5
4a5190c170b6bbc740730372b73b3e3a
-
SHA1
affb6f1cf65acbcd627416187dac518e5b100f40
-
SHA256
fcbe2ceaf680fc8f9b379dc41fc3d88887478965321551b385a40dd42c6dd4cc
-
SHA512
1c3d275adfb85811a4871a2d4b8c6d54bad663bd606700b337c2adda9b35abae16de77d43ef4cfd1064dbd2c39f667404768303cca38cdc3a04a1d01d0b97e8b
-
SSDEEP
12288:ILV6BtpmkaIteszzut6ugI3PCsOMj7L8pVyN0IolbzYHx/MtGJYXgUowtIp2R1t4:6Apfz4sctjspVm0N1sHxv3Umo1tty
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisvc.exe" PDFextractor.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PDFextractor.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\PCI Service\pcisvc.exe PDFextractor.exe File opened for modification C:\Program Files (x86)\PCI Service\pcisvc.exe PDFextractor.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2192 PDFextractor.exe 2192 PDFextractor.exe 2192 PDFextractor.exe 2192 PDFextractor.exe 2192 PDFextractor.exe 2192 PDFextractor.exe 2192 PDFextractor.exe 2192 PDFextractor.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2192 PDFextractor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2192 PDFextractor.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2716 2192 PDFextractor.exe 28 PID 2192 wrote to memory of 2716 2192 PDFextractor.exe 28 PID 2192 wrote to memory of 2716 2192 PDFextractor.exe 28 PID 2192 wrote to memory of 2716 2192 PDFextractor.exe 28 PID 2192 wrote to memory of 2828 2192 PDFextractor.exe 31 PID 2192 wrote to memory of 2828 2192 PDFextractor.exe 31 PID 2192 wrote to memory of 2828 2192 PDFextractor.exe 31 PID 2192 wrote to memory of 2828 2192 PDFextractor.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp"2⤵
- Creates scheduled task(s)
PID:2716
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5CC1.tmp"2⤵
- Creates scheduled task(s)
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f6c0b45ec5c38500de95eddd09ddac8
SHA1a38c639dd5c13d7f128f8bbae211d5f9ff8bd2f4
SHA256e90517f2caaba84a9999518915f3fd5771f3d38ce60de95bae0a095be652cc5c
SHA512aa93bbf8d3586f923cde1e29b37cec3793b5a40b15f8e2b1d5337e1e4182f3faa23dbb9b8fc01bde4a939826aea5ef8555094926b1de45a4a88f70f5086c188e
-
Filesize
1KB
MD5a4f6fa4537e2dcf0d3e2802c0f070a4d
SHA103545095bfeddd7656b5b8547ab84a810324a94f
SHA256192ac26e1895b267149bde35c55327f4a441693495239da5899062924d45bd11
SHA512a4293123d718b0511a8301a7f536e403cecf8bc89f25f9dc4692b293eb8a554a8eb67993a26fe0e96792b6eb3573b34e9b270777cafe95c2383268da6d40fd2e