Analysis
-
max time kernel
8s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-01-2021 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Production order List Quotation.pdf.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Production order List Quotation.pdf.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Production order List Quotation.pdf.exe
-
Size
848KB
-
MD5
b66c5b7075d1d8b866aaaa54be2719fe
-
SHA1
dc66d9a7dec86f3961f1c71498052fc166d2cbee
-
SHA256
fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd
-
SHA512
04ef36e2405f32f2c04b0e6372353a93cfd354e1f226a568f111825871a61b01ff61a15f472d79f1d619a37ddaafe82549b66b9725e19f84eef8ad78aba62165
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Production order List Quotation.pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.exe\"" Production order List Quotation.pdf.exe -
Drops startup file 2 IoCs
Processes:
Production order List Quotation.pdf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production order List Quotation.pdf.exe Production order List Quotation.pdf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production order List Quotation.pdf.exe Production order List Quotation.pdf.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Production order List Quotation.pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.exe" Production order List Quotation.pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Production order List Quotation.pdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.exe" Production order List Quotation.pdf.exe