Analysis
-
max time kernel
132s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-07-2021 09:37
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.Pdf.exe
Resource
win7v20210408
General
-
Target
Purchase Order.Pdf.exe
-
Size
984KB
-
MD5
6677a05c9b05d917b8654308183f9c5b
-
SHA1
6c7189656dfcdfb04298ae60b80a350d17100f5a
-
SHA256
b5c47964271578c767ebb7c3bfee10cda45464043d6e2879408f138da8031cf4
-
SHA512
2f8586af3a89fd200a4fc616f7db898c5199afd7d224144628ea9c80d1e22567507eefffa4eea5da20598c3d926a02d595fee69439623d252d35d9ddceef42dd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Purchase Order.Pdf.exepid process 1924 Purchase Order.Pdf.exe 1924 Purchase Order.Pdf.exe 1924 Purchase Order.Pdf.exe 1924 Purchase Order.Pdf.exe 1924 Purchase Order.Pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase Order.Pdf.exedescription pid process Token: SeDebugPrivilege 1924 Purchase Order.Pdf.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Purchase Order.Pdf.exedescription pid process target process PID 1924 wrote to memory of 1736 1924 Purchase Order.Pdf.exe schtasks.exe PID 1924 wrote to memory of 1736 1924 Purchase Order.Pdf.exe schtasks.exe PID 1924 wrote to memory of 1736 1924 Purchase Order.Pdf.exe schtasks.exe PID 1924 wrote to memory of 1736 1924 Purchase Order.Pdf.exe schtasks.exe PID 1924 wrote to memory of 620 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 620 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 620 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 620 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1956 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1956 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1956 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1956 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 676 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 676 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 676 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 676 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1608 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1608 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1608 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1608 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1636 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1636 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1636 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe PID 1924 wrote to memory of 1636 1924 Purchase Order.Pdf.exe Purchase Order.Pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqSIOnJAkv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCB1.tmp"2⤵
- Creates scheduled task(s)
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"2⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"2⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"2⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"2⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"2⤵PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCCB1.tmpMD5
f43eaa2be3f61fb1ef29f79c0cf643f9
SHA1ebc87dc21dc55ac087939e5effb35cc986b1e812
SHA2563bbf99f477ad30398766d39e1483cc4b5fd8c0eddafd534bf30ff823f2e2716f
SHA512464d1ee8472e67922a7f268662511cff5029d7282d914018b6e2315321b54231fe09fed30d1a8dc7c54106fe9d0736f85717a4b8f5fa5d55eaf1ac86419aa45b
-
memory/1736-66-0x0000000000000000-mapping.dmp
-
memory/1924-60-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1924-62-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/1924-63-0x00000000004F0000-0x000000000051D000-memory.dmpFilesize
180KB
-
memory/1924-64-0x0000000008240000-0x00000000082B8000-memory.dmpFilesize
480KB
-
memory/1924-65-0x0000000001FF0000-0x0000000002023000-memory.dmpFilesize
204KB