Overview

overview

10

Static

static

Purchase O...df.exe

windows7_x64

3

Purchase O...df.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    23-07-2021 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order.Pdf.exe

  • Size

    984KB

  • MD5

    6677a05c9b05d917b8654308183f9c5b

  • SHA1

    6c7189656dfcdfb04298ae60b80a350d17100f5a

  • SHA256

    b5c47964271578c767ebb7c3bfee10cda45464043d6e2879408f138da8031cf4

  • SHA512

    2f8586af3a89fd200a4fc616f7db898c5199afd7d224144628ea9c80d1e22567507eefffa4eea5da20598c3d926a02d595fee69439623d252d35d9ddceef42dd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqSIOnJAkv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCB1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1736
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"
      2⤵
        PID:620
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"
        2⤵
          PID:1956
        • C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"
          2⤵
            PID:676
          • C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe
            "C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"
            2⤵
              PID:1608
            • C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe
              "C:\Users\Admin\AppData\Local\Temp\Purchase Order.Pdf.exe"
              2⤵
                PID:1636

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpCCB1.tmp
              MD5

              f43eaa2be3f61fb1ef29f79c0cf643f9

              SHA1

              ebc87dc21dc55ac087939e5effb35cc986b1e812

              SHA256

              3bbf99f477ad30398766d39e1483cc4b5fd8c0eddafd534bf30ff823f2e2716f

              SHA512

              464d1ee8472e67922a7f268662511cff5029d7282d914018b6e2315321b54231fe09fed30d1a8dc7c54106fe9d0736f85717a4b8f5fa5d55eaf1ac86419aa45b

              Download Submit
            • memory/1736-66-0x0000000000000000-mapping.dmp
              Download
            • memory/1924-60-0x00000000003F0000-0x00000000003F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1924-62-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1924-63-0x00000000004F0000-0x000000000051D000-memory.dmp
              Filesize

              180KB

              Download
            • memory/1924-64-0x0000000008240000-0x00000000082B8000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1924-65-0x0000000001FF0000-0x0000000002023000-memory.dmp
              Filesize

              204KB

              Download