70b78c45068edaaec097bf6e99995413c8f13d06e2973e8f493906842f71a2ed

General

Target

Scan Document for new Order-pdf.exe
Size

912KB
MD5

d58e1d1a4313f3ff9b2df58d6677e01f
SHA1

ae3814ff22ace21de50a800a4dbf1e06ad0323fc
SHA256

70b78c45068edaaec097bf6e99995413c8f13d06e2973e8f493906842f71a2ed
SHA512

340b30c5152056c3ca638ebf29304561c2ea899888268891c23356665f4156ecf17cadaaf2bbf3216ccf932213508e3e5be35c6ebcb92147b063dcbe71623354

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1876	728	Scan Document for new Order-pdf.exe	26
PID 728 wrote to memory of 1876	728	Scan Document for new Order-pdf.exe	26
PID 728 wrote to memory of 1876	728	Scan Document for new Order-pdf.exe	26
PID 728 wrote to memory of 1876	728	Scan Document for new Order-pdf.exe	26
PID 728 wrote to memory of 1756	728	Scan Document for new Order-pdf.exe	28
PID 728 wrote to memory of 1756	728	Scan Document for new Order-pdf.exe	28
PID 728 wrote to memory of 1756	728	Scan Document for new Order-pdf.exe	28
PID 728 wrote to memory of 1756	728	Scan Document for new Order-pdf.exe	28
PID 728 wrote to memory of 1776	728	Scan Document for new Order-pdf.exe	29
PID 728 wrote to memory of 1776	728	Scan Document for new Order-pdf.exe	29
PID 728 wrote to memory of 1776	728	Scan Document for new Order-pdf.exe	29
PID 728 wrote to memory of 1776	728	Scan Document for new Order-pdf.exe	29
PID 728 wrote to memory of 516	728	Scan Document for new Order-pdf.exe	30
PID 728 wrote to memory of 516	728	Scan Document for new Order-pdf.exe	30
PID 728 wrote to memory of 516	728	Scan Document for new Order-pdf.exe	30
PID 728 wrote to memory of 516	728	Scan Document for new Order-pdf.exe	30
PID 728 wrote to memory of 652	728	Scan Document for new Order-pdf.exe	31
PID 728 wrote to memory of 652	728	Scan Document for new Order-pdf.exe	31
PID 728 wrote to memory of 652	728	Scan Document for new Order-pdf.exe	31
PID 728 wrote to memory of 652	728	Scan Document for new Order-pdf.exe	31
PID 728 wrote to memory of 460	728	Scan Document for new Order-pdf.exe	32
PID 728 wrote to memory of 460	728	Scan Document for new Order-pdf.exe	32
PID 728 wrote to memory of 460	728	Scan Document for new Order-pdf.exe	32
PID 728 wrote to memory of 460	728	Scan Document for new Order-pdf.exe	32

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	728	Scan Document for new Order-pdf.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
728	Scan Document for new Order-pdf.exe
728	Scan Document for new Order-pdf.exe
728	Scan Document for new Order-pdf.exe
728	Scan Document for new Order-pdf.exe
728	Scan Document for new Order-pdf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1876	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Scan Document for new Order-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Scan Document for new Order-pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:728
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IYoeCFUSdn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAACF.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\Scan Document for new Order-pdf.exe
  "{path}"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\Scan Document for new Order-pdf.exe
  "{path}"
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\Scan Document for new Order-pdf.exe
  "{path}"
  2⤵
  PID:516
- C:\Users\Admin\AppData\Local\Temp\Scan Document for new Order-pdf.exe
  "{path}"
  2⤵
  PID:652
- C:\Users\Admin\AppData\Local\Temp\Scan Document for new Order-pdf.exe
  "{path}"
  2⤵
  PID:460