Analysis
-
max time kernel
57s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
PurchaseOrderPDF.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PurchaseOrderPDF.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
PurchaseOrderPDF.exe
-
Size
622KB
-
MD5
26bdf798d94b9a8cde3a7baf41c119c7
-
SHA1
54583e962e90d5af8ab1f5d2dd43284dc5ee88c3
-
SHA256
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679
-
SHA512
13f9baad5e0b929757ab2baad1e8c599c4f8974899aceaa8852784558f3676458000b2de4ffc0e2e37393989a52084590c0cc586fea47a1f8e7d238bba2b0f6c
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PurchaseOrderPDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PurchaseOrderPDF.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PurchaseOrderPDF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 PurchaseOrderPDF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2504 dw20.exe 2504 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2504 dw20.exe Token: SeBackupPrivilege 2504 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3888 wrote to memory of 2504 3888 PurchaseOrderPDF.exe 80 PID 3888 wrote to memory of 2504 3888 PurchaseOrderPDF.exe 80 PID 3888 wrote to memory of 2504 3888 PurchaseOrderPDF.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPDF.exe"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPDF.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 12802⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-