Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
número de pedido 012779-pdf.exe
Resource
win7-20240221-en
General
-
Target
número de pedido 012779-pdf.exe
-
Size
756KB
-
MD5
67e15999c73fb5a9119e74db15dcbf0e
-
SHA1
821f318b7db0812f051323578b3ef1c7c7f5797c
-
SHA256
84deede63e52ad9249ab9907c8adb40cf822c95d2a7057da3efd72784266b797
-
SHA512
deffc9ee169602d0dfdcdec8b9a74b7bd2dac285eb26bf1ec145d453443617d0f68c619ff07bc0a473c2bbdac338d12a8ce799b0d85f2b8394622a7ce1afd460
-
SSDEEP
12288:R+D/Pu1N9o7g5lEPg1uJZbCPJMXj/tHxxuVGBDZsmahI9ZE2Zpxwp+BL:R+jub0S2Pg1wbCP2TVXuGWeE2ZpxU+J
Malware Config
Signatures
-
Processes:
número de pedido 012779-pdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" número de pedido 012779-pdf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
número de pedido 012779-pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions número de pedido 012779-pdf.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
número de pedido 012779-pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools número de pedido 012779-pdf.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
número de pedido 012779-pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion número de pedido 012779-pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion número de pedido 012779-pdf.exe -
Processes:
número de pedido 012779-pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA número de pedido 012779-pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" número de pedido 012779-pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
número de pedido 012779-pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum número de pedido 012779-pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 número de pedido 012779-pdf.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
número de pedido 012779-pdf.exewab.exemtstocom.exedescription pid process target process PID 1952 set thread context of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 2464 set thread context of 1952 2464 wab.exe número de pedido 012779-pdf.exe PID 2464 set thread context of 1952 2464 wab.exe número de pedido 012779-pdf.exe PID 2464 set thread context of 1952 2464 wab.exe número de pedido 012779-pdf.exe PID 2464 set thread context of 1216 2464 wab.exe Explorer.EXE PID 2464 set thread context of 2224 2464 wab.exe mtstocom.exe PID 2224 set thread context of 1952 2224 mtstocom.exe número de pedido 012779-pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exewab.exemtstocom.exepid process 2624 powershell.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 2224 mtstocom.exe 2224 mtstocom.exe 2224 mtstocom.exe 2224 mtstocom.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
wab.exeExplorer.EXEmtstocom.exepid process 2464 wab.exe 2464 wab.exe 2464 wab.exe 2464 wab.exe 1216 Explorer.EXE 1216 Explorer.EXE 2224 mtstocom.exe 2224 mtstocom.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
número de pedido 012779-pdf.exepowershell.exedescription pid process Token: SeDebugPrivilege 1952 número de pedido 012779-pdf.exe Token: SeDebugPrivilege 2624 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
número de pedido 012779-pdf.exeExplorer.EXEdescription pid process target process PID 1952 wrote to memory of 2624 1952 número de pedido 012779-pdf.exe powershell.exe PID 1952 wrote to memory of 2624 1952 número de pedido 012779-pdf.exe powershell.exe PID 1952 wrote to memory of 2624 1952 número de pedido 012779-pdf.exe powershell.exe PID 1952 wrote to memory of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 1952 wrote to memory of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 1952 wrote to memory of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 1952 wrote to memory of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 1952 wrote to memory of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 1952 wrote to memory of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 1952 wrote to memory of 2464 1952 número de pedido 012779-pdf.exe wab.exe PID 1952 wrote to memory of 2676 1952 número de pedido 012779-pdf.exe WerFault.exe PID 1952 wrote to memory of 2676 1952 número de pedido 012779-pdf.exe WerFault.exe PID 1952 wrote to memory of 2676 1952 número de pedido 012779-pdf.exe WerFault.exe PID 1216 wrote to memory of 2224 1216 Explorer.EXE mtstocom.exe PID 1216 wrote to memory of 2224 1216 Explorer.EXE mtstocom.exe PID 1216 wrote to memory of 2224 1216 Explorer.EXE mtstocom.exe PID 1216 wrote to memory of 2224 1216 Explorer.EXE mtstocom.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
número de pedido 012779-pdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" número de pedido 012779-pdf.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe"C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe"2⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1952 -s 5483⤵
-
C:\Windows\SysWOW64\mtstocom.exe"C:\Windows\SysWOW64\mtstocom.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1952-18-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmpFilesize
4KB
-
memory/1952-1-0x0000000000C90000-0x0000000000CBA000-memory.dmpFilesize
168KB
-
memory/1952-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/1952-3-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/1952-4-0x0000000000B10000-0x0000000000BAA000-memory.dmpFilesize
616KB
-
memory/1952-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmpFilesize
4KB
-
memory/1952-19-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2224-28-0x00000000000C0000-0x00000000000FF000-memory.dmpFilesize
252KB
-
memory/2224-26-0x00000000000C0000-0x00000000000FF000-memory.dmpFilesize
252KB
-
memory/2464-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-16-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-5-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2464-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-9-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-27-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2464-6-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2624-15-0x0000000002650000-0x0000000002658000-memory.dmpFilesize
32KB
-
memory/2624-14-0x000000001B230000-0x000000001B512000-memory.dmpFilesize
2.9MB