6afddd200d476183134e476b764d6ec32f6dbf2d1017cc2c2f42a4af1019954e

General

Target

VirusShare-01440307e996ca8612977cf16c190316.exe
Size

44KB
MD5

01440307e996ca8612977cf16c190316
SHA1

28bb443a91e31e2ff447de4142066964333e6bd7
SHA256

6afddd200d476183134e476b764d6ec32f6dbf2d1017cc2c2f42a4af1019954e
SHA512

0d0eacbfa6984a8559a25c67a16ff44ddb5e5f69bd62ca72b689a19a94cba8c31708cdcdc34161d1d8feca723f25f7b27350be3a16d1ae96775dd6112602cbc0
SSDEEP

768:xVMuc33zv3e5ipm2qyV7JtpJ/hHDmQH/It7Ru+3ddsd7nbcuyD7U:LM13T3TVq8pRhjV/ISd7nouy8

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\pdfprint.exe = "C:\\Program Files (x86)\\Common Files\\System\\pdfprint.exe:*:Enabled:Adobe remote printing service"	VirusShare-01440307e996ca8612977cf16c190316.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	pdfprint.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\pdfprint.exe = "C:\\Program Files (x86)\\Common Files\\System\\pdfprint.exe:*:Enabled:Adobe remote printing service"	pdfprint.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	VirusShare-01440307e996ca8612977cf16c190316.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	VirusShare-01440307e996ca8612977cf16c190316.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	VirusShare-01440307e996ca8612977cf16c190316.exe

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral2/memory/1248-0-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/files/0x00070000000231f2-3.dat	UPX
behavioral2/memory/1248-5-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/2004-6-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/2004-13-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/2004-14-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/2004-15-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/2004-17-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/2004-18-0x0000000000400000-0x0000000000421000-memory.dmp	UPX
behavioral2/memory/2004-19-0x0000000000400000-0x0000000000421000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2004	pdfprint.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	pdfprint.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\pdfprint.exe	pdfprint.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	VirusShare-01440307e996ca8612977cf16c190316.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\pdfprint.exe	VirusShare-01440307e996ca8612977cf16c190316.exe
File created	C:\Program Files (x86)\Common Files\System\pdfprint.exe	VirusShare-01440307e996ca8612977cf16c190316.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	pdfprint.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare-01440307e996ca8612977cf16c190316.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare-01440307e996ca8612977cf16c190316.exe"
1⤵
- Modifies firewall policy service
- Drops file in Program Files directory
PID:1248

C:\Program Files (x86)\Common Files\System\pdfprint.exe
"C:\Program Files (x86)\Common Files\System\pdfprint.exe"
1⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\pdfprint.exe

Filesize
44KB

MD5
01440307e996ca8612977cf16c190316

SHA1
28bb443a91e31e2ff447de4142066964333e6bd7

SHA256
6afddd200d476183134e476b764d6ec32f6dbf2d1017cc2c2f42a4af1019954e

SHA512
0d0eacbfa6984a8559a25c67a16ff44ddb5e5f69bd62ca72b689a19a94cba8c31708cdcdc34161d1d8feca723f25f7b27350be3a16d1ae96775dd6112602cbc0

Download Submit
memory/1248-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1248-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads