bc4f2cd8e722506956f7ddfb942f1d3e8b3e6fa15e6bdcc596717a822cf715d4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0001244.pdf.exe
Size

1.1MB
MD5

04983c19e0ccc25bb1d7c9734a1ef507
SHA1

6510d5da5025e0651535228d267831850f5028a1
SHA256

bc4f2cd8e722506956f7ddfb942f1d3e8b3e6fa15e6bdcc596717a822cf715d4
SHA512

71b3ede5bf14351090b56462dd8e880e6359217321611eeecec47ed301d5d9c51765d5dff5fb05529ab8925068e14a10dff027dd8a71741823dc72bd2110c373
SSDEEP

24576:KAHnh+eWsN3skA4RV1Hom2KXMmHalZbIz5EvOQ1fQpuzaBbW5:dh+ZkldoPK8Yal145HQ1OuzaBQ

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 2 IoCs

pid	Process
3020	name.exe
4088	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023410-13.dat	autoit_exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2008	4088	WerFault.exe	88

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3020	name.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3020	5040	0001244.pdf.exe	86
PID 5040 wrote to memory of 3020	5040	0001244.pdf.exe	86
PID 5040 wrote to memory of 3020	5040	0001244.pdf.exe	86
PID 3020 wrote to memory of 4320	3020	name.exe	87
PID 3020 wrote to memory of 4320	3020	name.exe	87
PID 3020 wrote to memory of 4320	3020	name.exe	87
PID 3020 wrote to memory of 4088	3020	name.exe	88
PID 3020 wrote to memory of 4088	3020	name.exe	88
PID 3020 wrote to memory of 4088	3020	name.exe	88
PID 4088 wrote to memory of 428	4088	name.exe	89
PID 4088 wrote to memory of 428	4088	name.exe	89
PID 4088 wrote to memory of 428	4088	name.exe	89

C:\Users\Admin\AppData\Local\Temp\0001244.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\0001244.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\0001244.pdf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\0001244.pdf.exe"
    3⤵
    PID:4320
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      PID:428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 684
      4⤵
      Program crash
      PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut7649.tmp

Filesize
234KB

MD5
9149b28d8ed641cbe48096e039fa1b49

SHA1
b17a6076ddd6e5bc1faa603f31f1f58263531b91

SHA256
c579f3340ef5f703b3edf09729d245338302c90ab958d035f170e3f32a95c6eb

SHA512
211db048ad46b39c8b21745b5eb9dad3d4f93b09e479e4b242a3a74b5c0543ea35292a2301d4a1582606ff543b91059d81131e5ca5ec9f8a6c96329a92821d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut765A.tmp

Filesize
9KB

MD5
1d87d739801300f649420a5b282d4abc

SHA1
a1b7a7772f744bc6781207df376c7268595ff1ec

SHA256
a19b2605beb8eb3b44d03ba26e09bc13ad3234c6e91f916d19000a9047c8211e

SHA512
f6ebfcfe486393d0074e663a5d232f388ed059d2a8609eb46ac23a539fe44566d749d0cd30d86a24f9796204af52b335bd5b697839ae5588baacd34d81469bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\outbluffed

Filesize
242KB

MD5
e81ef177991741aca8a8ad377beb1479

SHA1
edeecd1f68064fd795c8c082ae306fb2d824dc52

SHA256
0853abd03a7649528107f29a52185abedb634068ba1065dc755b6fa0cde9d4f7

SHA512
bbc90c7dd2a8ffa8c01f41f5ae55023ae151d07e6c3fd420e709896b2652a5670c22e5609581691f98222afdcb07644e4257a7d28b8812551e86d82b6b429262

Download Submit
C:\Users\Admin\AppData\Local\Temp\resharpen

Filesize
28KB

MD5
3e16202edd9e1d16b5cc384b3bb9562f

SHA1
5422fa335850b94b139d87114bb495113b335fc8

SHA256
d1485284d14e78d051bbe9342af586f62cc57f961621458cf2b4df991d441ab4

SHA512
0ddf0e52df328a1812380dae63cf56df23b8e90089443a1661533a733742f6803f7e4a0c1fa69b0e900c1539ec328c29faabfa8ff801b45f31eeea23ecb7e49f

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
04983c19e0ccc25bb1d7c9734a1ef507

SHA1
6510d5da5025e0651535228d267831850f5028a1

SHA256
bc4f2cd8e722506956f7ddfb942f1d3e8b3e6fa15e6bdcc596717a822cf715d4

SHA512
71b3ede5bf14351090b56462dd8e880e6359217321611eeecec47ed301d5d9c51765d5dff5fb05529ab8925068e14a10dff027dd8a71741823dc72bd2110c373

Download Submit
memory/5040-10-0x0000000000B60000-0x0000000000B64000-memory.dmp

Filesize
16KB

Download