bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae

General

Target

07675566556 PURCHASE ORDERpdf.exe
Size

876KB
MD5

b274988968c4256575dd4c4403838324
SHA1

a62d5ceb57ddec5dcffe768c6f48ff1dae66db67
SHA256

bbf613ce1f6850b2b62c6f55082ab7b9bcc7f92db0a8ec8f0b495e29cb4988ae
SHA512

abc5906d8e1e69ff1b33c61db06c4802e370efc8c15db8742092148fbb57aa8df3bd70e6b54fcf6b9a232642318510a4b352ce9810fbd7a1904b6f806d379978

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1916 schtasks.exe

pid	process
1916	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

07675566556 PURCHASE ORDERpdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07675566556 PURCHASE ORDERpdf.exe

description pid process

Token: SeDebugPrivilege 1868 07675566556 PURCHASE ORDERpdf.exe

description	pid	process
Token: SeDebugPrivilege	1868	07675566556 PURCHASE ORDERpdf.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

07675566556 PURCHASE ORDERpdf.exe

pid	process
1868	07675566556 PURCHASE ORDERpdf.exe
1868	07675566556 PURCHASE ORDERpdf.exe
1868	07675566556 PURCHASE ORDERpdf.exe
1868	07675566556 PURCHASE ORDERpdf.exe
1868	07675566556 PURCHASE ORDERpdf.exe

C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
"C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eLajqaT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE86.tmp"
2⤵
- Creates scheduled task(s)
PID:1916

C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
"{path}"
2⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
"{path}"
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
"{path}"
2⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
"{path}"
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\07675566556 PURCHASE ORDERpdf.exe
"{path}"
2⤵
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAE86.tmp

Download Submit

description	pid	process	target process
PID 1868 wrote to memory of 1916	1868	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 1868 wrote to memory of 1916	1868	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 1868 wrote to memory of 1916	1868	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 1868 wrote to memory of 1916	1868	07675566556 PURCHASE ORDERpdf.exe	schtasks.exe
PID 1868 wrote to memory of 1964	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1964	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1964	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1964	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1972	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1972	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1972	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1972	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1980	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1980	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1980	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1980	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1988	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1988	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1988	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1988	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1996	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1996	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1996	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe
PID 1868 wrote to memory of 1996	1868	07675566556 PURCHASE ORDERpdf.exe	07675566556 PURCHASE ORDERpdf.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads