Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 12:46
Behavioral task
behavioral1
Sample
PDFextractor.exe
Resource
win7-20231215-en
General
-
Target
PDFextractor.exe
-
Size
705KB
-
MD5
4a5190c170b6bbc740730372b73b3e3a
-
SHA1
affb6f1cf65acbcd627416187dac518e5b100f40
-
SHA256
fcbe2ceaf680fc8f9b379dc41fc3d88887478965321551b385a40dd42c6dd4cc
-
SHA512
1c3d275adfb85811a4871a2d4b8c6d54bad663bd606700b337c2adda9b35abae16de77d43ef4cfd1064dbd2c39f667404768303cca38cdc3a04a1d01d0b97e8b
-
SSDEEP
12288:ILV6BtpmkaIteszzut6ugI3PCsOMj7L8pVyN0IolbzYHx/MtGJYXgUowtIp2R1t4:6Apfz4sctjspVm0N1sHxv3Umo1tty
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Service = "C:\\Program Files (x86)\\NAT Service\\natsv.exe" PDFextractor.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PDFextractor.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\NAT Service\natsv.exe PDFextractor.exe File opened for modification C:\Program Files (x86)\NAT Service\natsv.exe PDFextractor.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4188 schtasks.exe 3564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe 4072 PDFextractor.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4072 PDFextractor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4072 PDFextractor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4072 wrote to memory of 4188 4072 PDFextractor.exe 54 PID 4072 wrote to memory of 4188 4072 PDFextractor.exe 54 PID 4072 wrote to memory of 4188 4072 PDFextractor.exe 54 PID 4072 wrote to memory of 3564 4072 PDFextractor.exe 56 PID 4072 wrote to memory of 3564 4072 PDFextractor.exe 56 PID 4072 wrote to memory of 3564 4072 PDFextractor.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAT Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5861.tmp"2⤵
- Creates scheduled task(s)
PID:4188
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAT Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp58C0.tmp"2⤵
- Creates scheduled task(s)
PID:3564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f6c0b45ec5c38500de95eddd09ddac8
SHA1a38c639dd5c13d7f128f8bbae211d5f9ff8bd2f4
SHA256e90517f2caaba84a9999518915f3fd5771f3d38ce60de95bae0a095be652cc5c
SHA512aa93bbf8d3586f923cde1e29b37cec3793b5a40b15f8e2b1d5337e1e4182f3faa23dbb9b8fc01bde4a939826aea5ef8555094926b1de45a4a88f70f5086c188e
-
Filesize
1KB
MD5cd8e69b89899eb65a199cc8019e502ad
SHA119ae04c02d02e2828e4513de66734c383660d1a5
SHA256cf1a9b78745b0f788fea2f579f1e3a82efc7425edb1f35abb8dd8e1cbaaf03ef
SHA5129a2bf35fc687ec6ac81ad3fe16f82f104ad880be6b36afc7297264de09d50e85d9d3376ed9378d56b08ef94ca700b886cc40768587fc623c7fb6117265bd7033