Overview

overview

10

Static

static

pdf file.exe

windows7_x64

3

pdf file.exe

windows10_x64

10

Analysis

  • max time kernel
    88s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    07-07-2021 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdf file.exe

  • Size

    1.1MB

  • MD5

    3cbd781f564cf84ffef48e204f447b2d

  • SHA1

    62a79b0bde60d2b46ceb204bd127065d64c66d3d

  • SHA256

    686f4b4a55d410762e893e7caccfe000ff0b927339a4da65b3076ac932d8b409

  • SHA512

    5ae28a6458f9368ce0a5f08b189903171372514b3aeb218a21affd4448d4c4d97e382dd6153e63e1bfbde0d675438544125153f9530f234198a783d6e6d027ac

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
    "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZsTxZSAorIA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8A3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:332
    • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
      "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
      2⤵
        PID:1112
      • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
        "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
        2⤵
          PID:972
        • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
          "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
          2⤵
            PID:1516
          • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
            "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
            2⤵
              PID:568
            • C:\Users\Admin\AppData\Local\Temp\pdf file.exe
              "C:\Users\Admin\AppData\Local\Temp\pdf file.exe"
              2⤵
                PID:552

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpD8A3.tmp
              MD5

              3254b6296ccc86ab8d95ca943afb235d

              SHA1

              cfff71bcbe19a6a22767dad9483c6d3b2a9836c3

              SHA256

              42ea8b1ae2e9b4598aabd73cdea2c0510c532f2814c1a17b823d598a0cc0c2c8

              SHA512

              61f81cfaeb17406d5736fd3e75d7ccab31f70d78e803a2de1185ca03242d4321d9ba5153925cdc5c56989798143383f13d9fd78cf857eb75f0f01ed5bedbee30

              Download Submit
            • memory/332-65-0x0000000000000000-mapping.dmp
              Download
            • memory/1836-59-0x0000000000200000-0x0000000000201000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1836-61-0x0000000004E40000-0x0000000004E41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1836-62-0x0000000000590000-0x000000000059F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/1836-63-0x00000000056D0000-0x000000000576B000-memory.dmp
              Filesize

              620KB

              Download
            • memory/1836-64-0x0000000004F30000-0x0000000004F99000-memory.dmp
              Filesize

              420KB

              Download