Overview

overview

10

Static

static

Doc_498575...df.exe

windows7_x64

10

Doc_498575...df.exe

windows10_x64

10

Analysis

  • max time kernel
    19s
  • max time network
    101s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc_498575947594986494659499465848658484846584,pdf.exe

  • Size

    78KB

  • MD5

    31a018d815f0d317b090665f3c4050e8

  • SHA1

    976a5037b21e53bd265a9b82271db389be0279ff

  • SHA256

    c0edc415e1c08532783562faf5434e866087e82e257283fc3b0bb0081b040f24

  • SHA512

    e29ae8b6a24206d59cdce3f0a120cc7931c07100f2ace1cab2ad54967c9efe47f958c665101ac6e2e68132d4a0fba1d7a19eabe952eaf6baeb7033a794f60ccd

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc_498575947594986494659499465848658484846584,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc_498575947594986494659499465848658484846584,pdf.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Doc_498575947594986494659499465848658484846584,pdf.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:60
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/60-17-0x0000000007590000-0x0000000007591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-41-0x0000000009040000-0x0000000009041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-18-0x0000000007800000-0x0000000007801000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-39-0x0000000009050000-0x0000000009051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-38-0x0000000001203000-0x0000000001204000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-37-0x00000000090A0000-0x00000000090A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-36-0x0000000008BE0000-0x0000000008BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-10-0x0000000000000000-mapping.dmp
    Download
  • memory/60-11-0x0000000073CB0000-0x000000007439E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/60-12-0x00000000011C0000-0x00000000011C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-35-0x0000000008B60000-0x0000000008B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-13-0x0000000006E10000-0x0000000006E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-15-0x0000000006D50000-0x0000000006D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-16-0x0000000007440000-0x0000000007441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-28-0x0000000008B80000-0x0000000008BB3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/60-27-0x000000007F460000-0x000000007F461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-25-0x0000000007E60000-0x0000000007E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-20-0x0000000001200000-0x0000000001201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-21-0x0000000001202000-0x0000000001203000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-24-0x0000000007CC0000-0x0000000007CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/60-23-0x0000000007500000-0x0000000007501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1156-3-0x00000000007A0000-0x00000000007A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1156-5-0x0000000005040000-0x0000000005041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1156-14-0x00000000058A0000-0x00000000058A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1156-9-0x0000000006B40000-0x0000000006B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1156-8-0x0000000007040000-0x0000000007041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1156-7-0x0000000002A90000-0x0000000002B21000-memory.dmp
    Filesize

    580KB

    Download
  • memory/1156-6-0x0000000006AA0000-0x0000000006AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1156-2-0x0000000073CB0000-0x000000007439E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2056-19-0x0000000000000000-mapping.dmp
    Download
  • memory/3976-22-0x0000000000000000-mapping.dmp
    Download