77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8

General

Target

Production order List Quotation.pdf.exe
Size

435KB
MD5

1890133e76ec2fe09839907d1172e605
SHA1

2c7e88feed5784a381b9e5ce01c9308929497f61
SHA256

77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8
SHA512

e4d21563688ac6cd65d04374c25831d07ad518f974db70c3fcde20bddeb8172ecad4fc0b7676b894d60810d6a9018d9e36b4e719da2c045189e45417b71773ad

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Production.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Production.exe\""	Production.exe

Executes dropped EXE 1 IoCs

Processes:

Production.exe

pid process

1540 Production.exe

pid	process
1540	Production.exe

Drops startup file 2 IoCs

Processes:

Production.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production.exe	Production.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production.exe	Production.exe

Loads dropped DLL 4 IoCs

Processes:

Production order List Quotation.pdf.exe

pid	process
1744	Production order List Quotation.pdf.exe
1744	Production order List Quotation.pdf.exe
1744	Production order List Quotation.pdf.exe
1744	Production order List Quotation.pdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Production.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Production.exe"	Production.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Production.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Production.exe"	Production.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1200 DllHost.exe

pid	process
1200	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Production order List Quotation.pdf.exe

description	pid	process	target process
PID 1744 wrote to memory of 1540	1744	Production order List Quotation.pdf.exe	Production.exe
PID 1744 wrote to memory of 1540	1744	Production order List Quotation.pdf.exe	Production.exe
PID 1744 wrote to memory of 1540	1744	Production order List Quotation.pdf.exe	Production.exe
PID 1744 wrote to memory of 1540	1744	Production order List Quotation.pdf.exe	Production.exe
PID 1744 wrote to memory of 1540	1744	Production order List Quotation.pdf.exe	Production.exe
PID 1744 wrote to memory of 1540	1744	Production order List Quotation.pdf.exe	Production.exe
PID 1744 wrote to memory of 1540	1744	Production order List Quotation.pdf.exe	Production.exe

C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:1540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Order.jpg
MD5
f2ff26db0c8cdad7840be73974c1ae11

SHA1
fc0270b0cf43b66274b5fa0b2cb9bf6a96e9cb43

SHA256
4153f7907b1e44f5bb4c9cc455504534a5025ce35d69cd1fa28ae1610efc383f

SHA512
e1fe938108f9c4400662d13eaa597e98728bbbaeef324ba4100b357ffceb133ae06c134809e4f22c2338003f89a888f1a3afcc81bb227f54d6515876c24c20c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
553cc5e02823029b6ad67f9bfe1c37f9

SHA1
577183637a011c8039c4e6d76add986d4121242e

SHA256
fe3c9884da6b43c5394d59e4346d4010ea30e53483eb121bddd2e000efb3c82e

SHA512
f63a297cdcdecd4d909f0b985b76ec654864d817ac756c2064b1392f9e53c30b3cfc2d778f625e8e3f7ea519f40e61616c7e9df66cf90be8891f5f4c09a7809e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
553cc5e02823029b6ad67f9bfe1c37f9

SHA1
577183637a011c8039c4e6d76add986d4121242e

SHA256
fe3c9884da6b43c5394d59e4346d4010ea30e53483eb121bddd2e000efb3c82e

SHA512
f63a297cdcdecd4d909f0b985b76ec654864d817ac756c2064b1392f9e53c30b3cfc2d778f625e8e3f7ea519f40e61616c7e9df66cf90be8891f5f4c09a7809e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
553cc5e02823029b6ad67f9bfe1c37f9

SHA1
577183637a011c8039c4e6d76add986d4121242e

SHA256
fe3c9884da6b43c5394d59e4346d4010ea30e53483eb121bddd2e000efb3c82e

SHA512
f63a297cdcdecd4d909f0b985b76ec654864d817ac756c2064b1392f9e53c30b3cfc2d778f625e8e3f7ea519f40e61616c7e9df66cf90be8891f5f4c09a7809e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
553cc5e02823029b6ad67f9bfe1c37f9

SHA1
577183637a011c8039c4e6d76add986d4121242e

SHA256
fe3c9884da6b43c5394d59e4346d4010ea30e53483eb121bddd2e000efb3c82e

SHA512
f63a297cdcdecd4d909f0b985b76ec654864d817ac756c2064b1392f9e53c30b3cfc2d778f625e8e3f7ea519f40e61616c7e9df66cf90be8891f5f4c09a7809e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
553cc5e02823029b6ad67f9bfe1c37f9

SHA1
577183637a011c8039c4e6d76add986d4121242e

SHA256
fe3c9884da6b43c5394d59e4346d4010ea30e53483eb121bddd2e000efb3c82e

SHA512
f63a297cdcdecd4d909f0b985b76ec654864d817ac756c2064b1392f9e53c30b3cfc2d778f625e8e3f7ea519f40e61616c7e9df66cf90be8891f5f4c09a7809e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
553cc5e02823029b6ad67f9bfe1c37f9

SHA1
577183637a011c8039c4e6d76add986d4121242e

SHA256
fe3c9884da6b43c5394d59e4346d4010ea30e53483eb121bddd2e000efb3c82e

SHA512
f63a297cdcdecd4d909f0b985b76ec654864d817ac756c2064b1392f9e53c30b3cfc2d778f625e8e3f7ea519f40e61616c7e9df66cf90be8891f5f4c09a7809e

Download Submit
memory/1540-6-0x0000000000000000-mapping.dmp

Download
memory/1540-9-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1540-10-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/1540-12-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads