06e63152946d3d0d546cf9467edea0e469fe0b38c9f4a65db931f73cf9a9fa99

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 14:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CONTRACT_AMENDED_PDF.exe
Size

570KB
MD5

c86986d560728762cca6eb3fddde5863
SHA1

0658d6a4b49d22e31b71d02bd107ff7c3f025d0c
SHA256

433d714046433a609b8aada48d6d50bb47a3f6a840932c559b2f0b71004f4479
SHA512

5de910a8a9e07bd9ae40f3171ada17569d1fe62b780c063fa63fae2612c38df907a1e3e1b1ed91494dbee94ca1fa70c43045d3cd24dbea0c29fd3ec37b693d44
SSDEEP

6144:wUjRwQGJaKitWD64lgZ2lci+8Rg5+si7iDb05Du7DkKlkr:wqcS4lgzirO4p7Y4Ru8qm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
332	CONTRACT_AMENDED_PDF.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
332	CONTRACT_AMENDED_PDF.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 332 set thread context of 1412	332	CONTRACT_AMENDED_PDF.exe	101

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\massiveres\compitalia.ini	CONTRACT_AMENDED_PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
332	CONTRACT_AMENDED_PDF.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 1412	332	CONTRACT_AMENDED_PDF.exe	101
PID 332 wrote to memory of 1412	332	CONTRACT_AMENDED_PDF.exe	101
PID 332 wrote to memory of 1412	332	CONTRACT_AMENDED_PDF.exe	101
PID 332 wrote to memory of 1412	332	CONTRACT_AMENDED_PDF.exe	101
PID 332 wrote to memory of 1412	332	CONTRACT_AMENDED_PDF.exe	101

C:\Users\Admin\AppData\Local\Temp\CONTRACT_AMENDED_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACT_AMENDED_PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\CONTRACT_AMENDED_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\CONTRACT_AMENDED_PDF.exe"
  2⤵
  PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv5069.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
memory/332-10-0x00000000779A1000-0x0000000077AC1000-memory.dmp

Filesize
1.1MB

Download
memory/332-11-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download