Analysis
-
max time kernel
140s -
max time network
88s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 20:20
Static task
static1
Behavioral task
behavioral1
Sample
Комплект документов по запросу от 20.08.2021 БН.pdf.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Комплект документов по запросу от 20.08.2021 БН.pdf.exe
Resource
win10v20210408
General
-
Target
Комплект документов по запросу от 20.08.2021 БН.pdf.exe
-
Size
1.7MB
-
MD5
7495d4b8448734d54e24c87a461fb8cd
-
SHA1
9aa95d81d4306ab186c935aae358e6084a5286d5
-
SHA256
258b364ab27f67fe67b70169cbf89998ad2bcf6e348d05e9426c40463f4e65e9
-
SHA512
d30c4526199cbc30f00cd1f59851b1a51974c9b16a36da1a2b6eb2edfba79028052cc997a095d8e0e1225f2a2fdb32a7e2db62a330c1ca07a6eca4395363ed91
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
taskmgr.exepid process 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 508 taskmgr.exe Token: SeSystemProfilePrivilege 508 taskmgr.exe Token: SeCreateGlobalPrivilege 508 taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
taskmgr.exepid process 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
taskmgr.exepid process 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe 508 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Комплект документов по запросу от 20.08.2021 БН.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Комплект документов по запросу от 20.08.2021 БН.pdf.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage