e0ed9ae4533a2a960d0015130b0265f6f93f437c63abaa6a0bb974a5d1cb4b69

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 02:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Order Inquiry for new Purchase_pdf.exe
Size

947KB
MD5

12a0d4a27fb7f7d5f1b345c9e6b171e2
SHA1

6c6c01b4d9023e2f77ea6758b935c656637e5ea2
SHA256

fc44d6c0bc3f20d6e311cbc63e3442fb7f31b2edf039e49ce424549eddfa522d
SHA512

1916f25fd5dca34c3c92c97a0a5ccd9663d1bdce3d00ee23fd5c1dcdc91784fcdba8fb4857c0478f95920f0c9bbe9e422effa2163e724af4343f6c7ae6dd4418
SSDEEP

24576:OeqkD+B877zBtMA0yZqv+D09Pxjlahm8QIPntPG1kYWAXPJ:OeX+xjz8HzYW

Score

9^/10

Malware Config

Signatures

Detects executables packed with 9Rays.Net Spices.Net Obfuscator. 1 IoCs

resource	yara_rule
behavioral1/memory/1652-3-0x0000000000730000-0x000000000073A000-memory.dmp	INDICATOR_EXE_Packed_Spices

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe
1652	Order Inquiry for new Purchase_pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	Order Inquiry for new Purchase_pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 3056	1652	Order Inquiry for new Purchase_pdf.exe	28
PID 1652 wrote to memory of 3056	1652	Order Inquiry for new Purchase_pdf.exe	28
PID 1652 wrote to memory of 3056	1652	Order Inquiry for new Purchase_pdf.exe	28
PID 1652 wrote to memory of 3056	1652	Order Inquiry for new Purchase_pdf.exe	28
PID 1652 wrote to memory of 2732	1652	Order Inquiry for new Purchase_pdf.exe	29
PID 1652 wrote to memory of 2732	1652	Order Inquiry for new Purchase_pdf.exe	29
PID 1652 wrote to memory of 2732	1652	Order Inquiry for new Purchase_pdf.exe	29
PID 1652 wrote to memory of 2732	1652	Order Inquiry for new Purchase_pdf.exe	29
PID 1652 wrote to memory of 3064	1652	Order Inquiry for new Purchase_pdf.exe	30
PID 1652 wrote to memory of 3064	1652	Order Inquiry for new Purchase_pdf.exe	30
PID 1652 wrote to memory of 3064	1652	Order Inquiry for new Purchase_pdf.exe	30
PID 1652 wrote to memory of 3064	1652	Order Inquiry for new Purchase_pdf.exe	30
PID 1652 wrote to memory of 2128	1652	Order Inquiry for new Purchase_pdf.exe	31
PID 1652 wrote to memory of 2128	1652	Order Inquiry for new Purchase_pdf.exe	31
PID 1652 wrote to memory of 2128	1652	Order Inquiry for new Purchase_pdf.exe	31
PID 1652 wrote to memory of 2128	1652	Order Inquiry for new Purchase_pdf.exe	31
PID 1652 wrote to memory of 1596	1652	Order Inquiry for new Purchase_pdf.exe	32
PID 1652 wrote to memory of 1596	1652	Order Inquiry for new Purchase_pdf.exe	32
PID 1652 wrote to memory of 1596	1652	Order Inquiry for new Purchase_pdf.exe	32
PID 1652 wrote to memory of 1596	1652	Order Inquiry for new Purchase_pdf.exe	32

C:\Users\Admin\AppData\Local\Temp\Order Inquiry for new Purchase_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry for new Purchase_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/1652-1-0x0000000000230000-0x0000000000322000-memory.dmp

Filesize
968KB

Download
memory/1652-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/1652-3-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/1652-4-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download