Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
21/07/2024, 17:57
General
-
Target
Info.Pdf______________________________________________________________.exe
-
Size
200KB
-
MD5
3f7af6433aaeb4f5b2bcda80d2fc562a
-
SHA1
e57e81f201475dfe366df682a4ffa40a4ff78766
-
SHA256
b55ceb179a583bdfd46cb684e032a9b431cc8189fb5fba4b93be994583779ef0
-
SHA512
9e8ff124244439ff027d7bf9929a19abc055a4b8d7dc3e25e9b1617fb2fdbd9161f852b9edd6cb5ec4a8cf45eda87cfc07fee1cf65a92ba3b97ee4a341abe107
-
SSDEEP
6144:nzWS6rxJdVeCMo0oQkiAlnNBGKU+jyg9mPJVC1pNEdP0PoSS:nzR6lJulo04vz9jfmPLiyPkoSS
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Info.Pdf______________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Info.Pdf______________________________________________________________.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Apudo\ifuwk.exe"C:\Users\Admin\AppData\Roaming\Apudo\ifuwk.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcd7f9611.bat"3⤵
- Deletes itself
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD501cc51148afc8a4b679551d1f455e619
SHA160167970be7d4e78da9337fd4e13fe3dfe6956b1
SHA25656e5d5ee6ed1a6e4c90977ba1bf5e2ffe5ec8aad1c848f9e3cc49c8170d3b140
SHA512b5cd53aac8df509aeac3fb5efe6a6cd4338dde2c795431842d4d4452ccad524c17ac33664a33901a03d9d61efada9837a7fdff5fa114923653d54bf3d77206de
-
Filesize
319B
MD5872968946bbe7da83ce98f87aef6f4fc
SHA1610a5081dbb8334dd4019e49764f32be47f4da13
SHA25699d70e8cdf80f176902853f4e9f42cf6a865ecb930f446236d30ad2b6ad9dabc
SHA512e834a4a0273b65f63fdf7adf958884f1b689a7dd9f53783166983bf4fc560732ca3bcd1679c3739a7b593eb627afb3af1f0b5bf1466b1e6442899c35cd96efbe
-
Filesize
437B
MD568ff0e326f8013d15137d52b501d10af
SHA18cea7dc4592f9a097b375c5b4b9ef230fb396208
SHA2564fdd4f41622514224cbefbc6d933efbbe329fbc25c65281b719550b17b99c501
SHA5126e509d6bb6a830dfd5bd1abfcf8c6bae98d76c7d8ea6d9360c6477b466343eb7e5ba38e98ffbe632bce54ec0890306362d1f867c7909d0cda979a509c36db001
-
Filesize
200KB
MD58159ed1a7ec1393b9cda8cb4fe6c8788
SHA1f72a58f6eaa13624471619e8af5944cd37097fd4
SHA2564969c68d684659dedfdfa7a8a7d8194b55a0c9757f3b16335069b74f5dd078a8
SHA512f123c747289bad24579b40378daf4f047100aa7f7a8ee301194950f1dd2d6004b6ea7ebd5093d059e8e0679f9e671a81b83376725a5d24698540d3cecaacf120
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
420KB
-
Filesize
4KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
88KB
-
Filesize
420KB
-
Filesize
192KB
-
Filesize
420KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
420KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
192KB