Overview

overview

10

Static

static

3

número de...df.exe

windows7-x64

10

número de...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    número de pedido 012779-pdf.exe

  • Size

    756KB

  • MD5

    67e15999c73fb5a9119e74db15dcbf0e

  • SHA1

    821f318b7db0812f051323578b3ef1c7c7f5797c

  • SHA256

    84deede63e52ad9249ab9907c8adb40cf822c95d2a7057da3efd72784266b797

  • SHA512

    deffc9ee169602d0dfdcdec8b9a74b7bd2dac285eb26bf1ec145d453443617d0f68c619ff07bc0a473c2bbdac338d12a8ce799b0d85f2b8394622a7ce1afd460

  • SSDEEP

    12288:R+D/Pu1N9o7g5lEPg1uJZbCPJMXj/tHxxuVGBDZsmahI9ZE2Zpxwp+BL:R+jub0S2Pg1wbCP2TVXuGWeE2ZpxU+J

Score
10/10
evasionexecutiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe"
      2⤵
      • UAC bypass
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Program Files (x86)\Windows Mail\wab.exe
        "C:\Program Files (x86)\Windows Mail\wab.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2464
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1952 -s 548
        3⤵
          PID:2676
      • C:\Windows\SysWOW64\mtstocom.exe
        "C:\Windows\SysWOW64\mtstocom.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2224

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1952-18-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1952-1-0x0000000000C90000-0x0000000000CBA000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1952-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1952-3-0x00000000001C0000-0x00000000001C6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1952-4-0x0000000000B10000-0x0000000000BAA000-memory.dmp
      Filesize

      616KB

      Download
    • memory/1952-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1952-19-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2224-28-0x00000000000C0000-0x00000000000FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2224-26-0x00000000000C0000-0x00000000000FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2464-22-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-16-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-5-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-20-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2464-23-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-25-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-9-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-27-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2464-6-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2624-15-0x0000000002650000-0x0000000002658000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2624-14-0x000000001B230000-0x000000001B512000-memory.dmp
      Filesize

      2.9MB

      Download