Analysis
-
max time kernel
130s -
max time network
149s -
resource
win10v191014 -
submitted
09-12-2019 11:13
Task
task1
Sample
0004 Spec Orede Req.pdf.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
0004 Spec Orede Req.pdf.exe
Resource
win10v191014
0 signatures
Static task
static1
General
-
Target
0004 Spec Orede Req.pdf.exe
-
Size
1.8MB
-
MD5
d7ee787127e8a5727dd90434f6941a2d
-
SHA1
aec8070aeba0d4177476494336d6cccb752d83e6
-
SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587
-
SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 4 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\15\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0004 Spec Orede Req.pdf.exedescription pid process Token: SeDebugPrivilege 4864 0004 Spec Orede Req.pdf.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
0004 Spec Orede Req.pdf.exeSppExtComObj.exedescription pid process target process PID 4864 wrote to memory of 5056 4864 0004 Spec Orede Req.pdf.exe cmd.exe PID 4864 wrote to memory of 5056 4864 0004 Spec Orede Req.pdf.exe cmd.exe PID 4864 wrote to memory of 5056 4864 0004 Spec Orede Req.pdf.exe cmd.exe PID 5096 wrote to memory of 4224 5096 SppExtComObj.exe SLUI.exe PID 5096 wrote to memory of 4224 5096 SppExtComObj.exe SLUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe"C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe:Zone.Identifier"2⤵
- NTFS ADS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵