Analysis
-
max time kernel
9s -
max time network
96s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 16:09
Static task
static1
Behavioral task
behavioral1
Sample
Production order List Quotation.pdf.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Production order List Quotation.pdf.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Production order List Quotation.pdf.bin.exe
-
Size
848KB
-
MD5
b66c5b7075d1d8b866aaaa54be2719fe
-
SHA1
dc66d9a7dec86f3961f1c71498052fc166d2cbee
-
SHA256
fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd
-
SHA512
04ef36e2405f32f2c04b0e6372353a93cfd354e1f226a568f111825871a61b01ff61a15f472d79f1d619a37ddaafe82549b66b9725e19f84eef8ad78aba62165
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Production order List Quotation.pdf.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.bin.exe\"" Production order List Quotation.pdf.bin.exe -
Drops startup file 2 IoCs
Processes:
Production order List Quotation.pdf.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production order List Quotation.pdf.bin.exe Production order List Quotation.pdf.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production order List Quotation.pdf.bin.exe Production order List Quotation.pdf.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Production order List Quotation.pdf.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.bin.exe" Production order List Quotation.pdf.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Production order List Quotation.pdf.bin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.bin.exe" Production order List Quotation.pdf.bin.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-2-0x0000000073C50000-0x000000007433E000-memory.dmpFilesize
6.9MB
-
memory/1304-3-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/1304-5-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/1304-6-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/1304-7-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/1304-8-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/1304-9-0x00000000051D0000-0x00000000051F0000-memory.dmpFilesize
128KB