Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 23:45
Behavioral task
behavioral1
Sample
Contract for collaboration.pdf.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
Promotion video from Spotify.mp4.scr
Resource
win10v2004-20240412-en
General
-
Target
Contract for collaboration.pdf.exe
-
Size
750.0MB
-
MD5
b1f104a15b02a9f967111a0ac5f7f379
-
SHA1
23043fbea3620c4b793ed3306ebedeeff06a35d7
-
SHA256
d95014339b85a2a95a540c97c802bea91c85241b3dd74aba7fb1f5d5e26651df
-
SHA512
94a7541e9a82c70791064c97cc94c75ec27362615867157e20ba62ac1b9d712bddee06b633ef48c9fde54f1778b8b29ba034beec0d05f317d4cd0b47a534fc43
-
SSDEEP
768:ly4GM66uNWJJG41zHClKhv5QO1IthaMolDGA3hwP:WRwJJt1OEhQO1IvY3hwP
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Contract for collaboration.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation Contract for collaboration.pdf.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1128-0-0x0000000000670000-0x000000000067A000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2864 1128 WerFault.exe Contract for collaboration.pdf.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4840 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 5084 powershell.exe 5084 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Contract for collaboration.pdf.exepowershell.exedescription pid process Token: SeDebugPrivilege 1128 Contract for collaboration.pdf.exe Token: SeDebugPrivilege 5084 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Contract for collaboration.pdf.exepowershell.execmd.exedescription pid process target process PID 1128 wrote to memory of 5084 1128 Contract for collaboration.pdf.exe powershell.exe PID 1128 wrote to memory of 5084 1128 Contract for collaboration.pdf.exe powershell.exe PID 1128 wrote to memory of 5084 1128 Contract for collaboration.pdf.exe powershell.exe PID 5084 wrote to memory of 2556 5084 powershell.exe cmd.exe PID 5084 wrote to memory of 2556 5084 powershell.exe cmd.exe PID 5084 wrote to memory of 2556 5084 powershell.exe cmd.exe PID 2556 wrote to memory of 4840 2556 cmd.exe timeout.exe PID 2556 wrote to memory of 4840 2556 cmd.exe timeout.exe PID 2556 wrote to memory of 4840 2556 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract for collaboration.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Contract for collaboration.pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd /c timeout 202⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 203⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\timeout.exetimeout 204⤵
- Delays execution with timeout.exe
PID:4840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 12962⤵
- Program crash
PID:2864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1128 -ip 11281⤵PID:4948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82