82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895

General

Target

Purchasing Doc_ 6000019430.exe
Size

793KB
MD5

e956a3cc966ca07ff6d7e56bbd78b2c4
SHA1

39429f7fb9ab18a29c84af8b49eec67b036532f2
SHA256

82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895
SHA512

83a9b4fcb38c36049b522cb180146ce5087d9cb020e370b3ad85baa4acf12628276f9f74406ea4a229f3d58dbff4fa708f96df84ddef7fd9446674ee3cf351d7

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1836	1432	Purchasing Doc_ 6000019430.exe	26
PID 1432 wrote to memory of 1836	1432	Purchasing Doc_ 6000019430.exe	26
PID 1432 wrote to memory of 1836	1432	Purchasing Doc_ 6000019430.exe	26
PID 1432 wrote to memory of 1836	1432	Purchasing Doc_ 6000019430.exe	26
PID 1432 wrote to memory of 1764	1432	Purchasing Doc_ 6000019430.exe	28
PID 1432 wrote to memory of 1764	1432	Purchasing Doc_ 6000019430.exe	28
PID 1432 wrote to memory of 1764	1432	Purchasing Doc_ 6000019430.exe	28
PID 1432 wrote to memory of 1764	1432	Purchasing Doc_ 6000019430.exe	28
PID 1432 wrote to memory of 1864	1432	Purchasing Doc_ 6000019430.exe	29
PID 1432 wrote to memory of 1864	1432	Purchasing Doc_ 6000019430.exe	29
PID 1432 wrote to memory of 1864	1432	Purchasing Doc_ 6000019430.exe	29
PID 1432 wrote to memory of 1864	1432	Purchasing Doc_ 6000019430.exe	29
PID 1432 wrote to memory of 1752	1432	Purchasing Doc_ 6000019430.exe	30
PID 1432 wrote to memory of 1752	1432	Purchasing Doc_ 6000019430.exe	30
PID 1432 wrote to memory of 1752	1432	Purchasing Doc_ 6000019430.exe	30
PID 1432 wrote to memory of 1752	1432	Purchasing Doc_ 6000019430.exe	30
PID 1432 wrote to memory of 1748	1432	Purchasing Doc_ 6000019430.exe	31
PID 1432 wrote to memory of 1748	1432	Purchasing Doc_ 6000019430.exe	31
PID 1432 wrote to memory of 1748	1432	Purchasing Doc_ 6000019430.exe	31
PID 1432 wrote to memory of 1748	1432	Purchasing Doc_ 6000019430.exe	31
PID 1432 wrote to memory of 520	1432	Purchasing Doc_ 6000019430.exe	32
PID 1432 wrote to memory of 520	1432	Purchasing Doc_ 6000019430.exe	32
PID 1432 wrote to memory of 520	1432	Purchasing Doc_ 6000019430.exe	32
PID 1432 wrote to memory of 520	1432	Purchasing Doc_ 6000019430.exe	32

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	Purchasing Doc_ 6000019430.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1432	Purchasing Doc_ 6000019430.exe
1432	Purchasing Doc_ 6000019430.exe
1432	Purchasing Doc_ 6000019430.exe
1432	Purchasing Doc_ 6000019430.exe
1432	Purchasing Doc_ 6000019430.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1836	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe
"C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1432
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVQzGkx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE88A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe"
  2⤵
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe"
  2⤵
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe"
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe"
  2⤵
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe"
  2⤵
  PID:520