Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 18:22
General
-
Target
número de pedido 012779-pdf.exe
-
Size
756KB
-
MD5
67e15999c73fb5a9119e74db15dcbf0e
-
SHA1
821f318b7db0812f051323578b3ef1c7c7f5797c
-
SHA256
84deede63e52ad9249ab9907c8adb40cf822c95d2a7057da3efd72784266b797
-
SHA512
deffc9ee169602d0dfdcdec8b9a74b7bd2dac285eb26bf1ec145d453443617d0f68c619ff07bc0a473c2bbdac338d12a8ce799b0d85f2b8394622a7ce1afd460
-
SSDEEP
12288:R+D/Pu1N9o7g5lEPg1uJZbCPJMXj/tHxxuVGBDZsmahI9ZE2Zpxwp+BL:R+jub0S2Pg1wbCP2TVXuGWeE2ZpxU+J
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe"C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe"2⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\número de pedido 012779-pdf.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\mtstocom.exe"C:\Windows\SysWOW64\mtstocom.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mihncg3x.4qw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1412-35-0x000001C76BDF0000-0x000001C76BE9A000-memory.dmpFilesize
680KB
-
memory/2236-6-0x00000173EDA90000-0x00000173EDB2A000-memory.dmpFilesize
616KB
-
memory/2236-3-0x00000173D3970000-0x00000173D398E000-memory.dmpFilesize
120KB
-
memory/2236-4-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/2236-5-0x00000173D3930000-0x00000173D3936000-memory.dmpFilesize
24KB
-
memory/2236-2-0x00000173EDA10000-0x00000173EDA86000-memory.dmpFilesize
472KB
-
memory/2236-0-0x00000173D3570000-0x00000173D359A000-memory.dmpFilesize
168KB
-
memory/2236-1-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/2236-23-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/3436-24-0x000000000CEC0000-0x000000000DD88000-memory.dmpFilesize
14.8MB
-
memory/3436-28-0x0000000008CC0000-0x0000000008DB4000-memory.dmpFilesize
976KB
-
memory/3436-27-0x000000000CEC0000-0x000000000DD88000-memory.dmpFilesize
14.8MB
-
memory/3636-7-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4924-15-0x000002899C040000-0x000002899C062000-memory.dmpFilesize
136KB
-
memory/4924-22-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/4924-9-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/4924-8-0x00007FF85F970000-0x00007FF85FB65000-memory.dmpFilesize
2.0MB
-
memory/5048-25-0x0000000000C40000-0x0000000000C7F000-memory.dmpFilesize
252KB
-
memory/5048-26-0x0000000000C40000-0x0000000000C7F000-memory.dmpFilesize
252KB