ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66

General

Target

Top Urgent_New_Order_PDF.exe
Size

911KB
MD5

f71317984e36770287b066803de0ab00
SHA1

15f8bcac4aa7273f362ad1f474bf818ee5179b44
SHA256

ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66
SHA512

df2dd89cfdbeb05595e1c676adf3736ae8ebedcd3d1cc6ad6b4ea2f20a0d5fb149cab78d6f29c300eebf9e07c883596e1bc5267a561fed19d429c3f10e6989b9

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Top Urgent_New_Order_PDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Top Urgent_New_Order_PDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Top Urgent_New_Order_PDF.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Top Urgent_New_Order_PDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Top Urgent_New_Order_PDF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Top Urgent_New_Order_PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1084 schtasks.exe

pid	process
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Top Urgent_New_Order_PDF.exe

pid	process
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe
1184	Top Urgent_New_Order_PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Top Urgent_New_Order_PDF.exe

description pid process

Token: SeDebugPrivilege 1184 Top Urgent_New_Order_PDF.exe

description	pid	process
Token: SeDebugPrivilege	1184	Top Urgent_New_Order_PDF.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Top Urgent_New_Order_PDF.exe

description	pid	process	target process
PID 1184 wrote to memory of 1084	1184	Top Urgent_New_Order_PDF.exe	schtasks.exe
PID 1184 wrote to memory of 1084	1184	Top Urgent_New_Order_PDF.exe	schtasks.exe
PID 1184 wrote to memory of 1084	1184	Top Urgent_New_Order_PDF.exe	schtasks.exe
PID 1184 wrote to memory of 1084	1184	Top Urgent_New_Order_PDF.exe	schtasks.exe
PID 1184 wrote to memory of 300	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 300	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 300	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 300	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 316	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 316	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 316	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 316	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 308	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 308	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 308	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 308	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 1776	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 1776	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 1776	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 1776	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 820	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 820	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 820	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe
PID 1184 wrote to memory of 820	1184	Top Urgent_New_Order_PDF.exe	Top Urgent_New_Order_PDF.exe

C:\Users\Admin\AppData\Local\Temp\Top Urgent_New_Order_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Top Urgent_New_Order_PDF.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPwwUYOq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFE2.tmp"
2⤵
- Creates scheduled task(s)
PID:1084

C:\Users\Admin\AppData\Local\Temp\Top Urgent_New_Order_PDF.exe
"{path}"
2⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\Top Urgent_New_Order_PDF.exe
"{path}"
2⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\Top Urgent_New_Order_PDF.exe
"{path}"
2⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\Top Urgent_New_Order_PDF.exe
"{path}"
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\Top Urgent_New_Order_PDF.exe
"{path}"
2⤵
PID:820

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFFE2.tmp
MD5
e8651671fc85af9b8267424b53536656

SHA1
017678add52cb4e937c26b63ba413ed61842929e

SHA256
93ab22f13218549e4bb6757fd3fc6741160d141059574a60b316a4814819347f

SHA512
ffb73695bf131ce85c49d50f93a36a20388b79df2a0820c669e74220328db7c0133975e8bbea4744531d1cb19526963ca149728fac7439be50562855be9bacb7

Download Submit
memory/1084-8-0x0000000000000000-mapping.dmp

Download
memory/1184-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1184-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1184-5-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1184-6-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/1184-7-0x00000000054C0000-0x0000000005547000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads