fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd

Analysis

max time kernel
123s
max time network
123s
platform
windows10_x64
resource
win10v20201028
submitted
16-01-2021 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Production order List Quotation.pdf.exe
Size

848KB
MD5

b66c5b7075d1d8b866aaaa54be2719fe
SHA1

dc66d9a7dec86f3961f1c71498052fc166d2cbee
SHA256

fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd
SHA512

04ef36e2405f32f2c04b0e6372353a93cfd354e1f226a568f111825871a61b01ff61a15f472d79f1d619a37ddaafe82549b66b9725e19f84eef8ad78aba62165

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Production order List Quotation.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.exe\""	Production order List Quotation.pdf.exe

Drops startup file 2 IoCs

Processes:

Production order List Quotation.pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production order List Quotation.pdf.exe	Production order List Quotation.pdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Production order List Quotation.pdf.exe	Production order List Quotation.pdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Production order List Quotation.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.exe"	Production order List Quotation.pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Production order List Quotation.pdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Production order List Quotation.pdf.exe"	Production order List Quotation.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
PID:1316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-2-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/1316-3-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1316-5-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1316-6-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/1316-7-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/1316-8-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1316-9-0x0000000005870000-0x0000000005890000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads