Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
número de pedido 012779-pdf.exe
Resource
win7-20240221-en
General
-
Target
número de pedido 012779-pdf.exe
-
Size
756KB
-
MD5
67e15999c73fb5a9119e74db15dcbf0e
-
SHA1
821f318b7db0812f051323578b3ef1c7c7f5797c
-
SHA256
84deede63e52ad9249ab9907c8adb40cf822c95d2a7057da3efd72784266b797
-
SHA512
deffc9ee169602d0dfdcdec8b9a74b7bd2dac285eb26bf1ec145d453443617d0f68c619ff07bc0a473c2bbdac338d12a8ce799b0d85f2b8394622a7ce1afd460
-
SSDEEP
12288:R+D/Pu1N9o7g5lEPg1uJZbCPJMXj/tHxxuVGBDZsmahI9ZE2Zpxwp+BL:R+jub0S2Pg1wbCP2TVXuGWeE2ZpxU+J
Malware Config
Signatures
-
Processes:
número de pedido 012779-pdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" número de pedido 012779-pdf.exe -
Processes:
número de pedido 012779-pdf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths número de pedido 012779-pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe = "0" número de pedido 012779-pdf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
número de pedido 012779-pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions número de pedido 012779-pdf.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
número de pedido 012779-pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools número de pedido 012779-pdf.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
número de pedido 012779-pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion número de pedido 012779-pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion número de pedido 012779-pdf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
número de pedido 012779-pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation número de pedido 012779-pdf.exe -
Processes:
número de pedido 012779-pdf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths número de pedido 012779-pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions número de pedido 012779-pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe = "0" número de pedido 012779-pdf.exe -
Processes:
número de pedido 012779-pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA número de pedido 012779-pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" número de pedido 012779-pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
número de pedido 012779-pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 número de pedido 012779-pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum número de pedido 012779-pdf.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
número de pedido 012779-pdf.exeiexplore.exemtstocom.exedescription pid process target process PID 2236 set thread context of 3636 2236 número de pedido 012779-pdf.exe iexplore.exe PID 3636 set thread context of 3436 3636 iexplore.exe Explorer.EXE PID 3636 set thread context of 5048 3636 iexplore.exe mtstocom.exe PID 5048 set thread context of 3436 5048 mtstocom.exe Explorer.EXE PID 5048 set thread context of 1412 5048 mtstocom.exe Firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mtstocom.exedescription ioc process Key created \Registry\User\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mtstocom.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
powershell.exeiexplore.exemtstocom.exepid process 4924 powershell.exe 4924 powershell.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 3636 iexplore.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
iexplore.exeExplorer.EXEmtstocom.exepid process 3636 iexplore.exe 3436 Explorer.EXE 3436 Explorer.EXE 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe 5048 mtstocom.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
número de pedido 012779-pdf.exepowershell.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2236 número de pedido 012779-pdf.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3436 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
número de pedido 012779-pdf.exeExplorer.EXEmtstocom.exedescription pid process target process PID 2236 wrote to memory of 4924 2236 número de pedido 012779-pdf.exe powershell.exe PID 2236 wrote to memory of 4924 2236 número de pedido 012779-pdf.exe powershell.exe PID 2236 wrote to memory of 3636 2236 número de pedido 012779-pdf.exe iexplore.exe PID 2236 wrote to memory of 3636 2236 número de pedido 012779-pdf.exe iexplore.exe PID 2236 wrote to memory of 3636 2236 número de pedido 012779-pdf.exe iexplore.exe PID 2236 wrote to memory of 3636 2236 número de pedido 012779-pdf.exe iexplore.exe PID 2236 wrote to memory of 3636 2236 número de pedido 012779-pdf.exe iexplore.exe PID 2236 wrote to memory of 3636 2236 número de pedido 012779-pdf.exe iexplore.exe PID 3436 wrote to memory of 5048 3436 Explorer.EXE mtstocom.exe PID 3436 wrote to memory of 5048 3436 Explorer.EXE mtstocom.exe PID 3436 wrote to memory of 5048 3436 Explorer.EXE mtstocom.exe PID 5048 wrote to memory of 1412 5048 mtstocom.exe Firefox.exe PID 5048 wrote to memory of 1412 5048 mtstocom.exe Firefox.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
número de pedido 012779-pdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" número de pedido 012779-pdf.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe"C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe"2⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\mtstocom.exe"C:\Windows\SysWOW64\mtstocom.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mihncg3x.4qw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1412-35-0x000001C76BDF0000-0x000001C76BE9A000-memory.dmpFilesize
680KB
-
memory/2236-6-0x00000173EDA90000-0x00000173EDB2A000-memory.dmpFilesize
616KB
-
memory/2236-3-0x00000173D3970000-0x00000173D398E000-memory.dmpFilesize
120KB
-
memory/2236-4-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/2236-5-0x00000173D3930000-0x00000173D3936000-memory.dmpFilesize
24KB
-
memory/2236-2-0x00000173EDA10000-0x00000173EDA86000-memory.dmpFilesize
472KB
-
memory/2236-0-0x00000173D3570000-0x00000173D359A000-memory.dmpFilesize
168KB
-
memory/2236-1-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/2236-23-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/3436-24-0x000000000CEC0000-0x000000000DD88000-memory.dmpFilesize
14.8MB
-
memory/3436-28-0x0000000008CC0000-0x0000000008DB4000-memory.dmpFilesize
976KB
-
memory/3436-27-0x000000000CEC0000-0x000000000DD88000-memory.dmpFilesize
14.8MB
-
memory/3636-7-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4924-15-0x000002899C040000-0x000002899C062000-memory.dmpFilesize
136KB
-
memory/4924-22-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/4924-9-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/4924-8-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/5048-25-0x0000000000C40000-0x0000000000C7F000-memory.dmpFilesize
252KB
-
memory/5048-26-0x0000000000C40000-0x0000000000C7F000-memory.dmpFilesize
252KB