Overview

overview

10

Static

static

yeni sipariş pdf.exe

windows7_x64

10

yeni sipariş pdf.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    99s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    07-02-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yeni sipariş pdf.exe

  • Size

    822KB

  • MD5

    41d2899a4441944b48daba79bfb70dd0

  • SHA1

    463778a640b327918d8e67cd2f9fa949be3b04e8

  • SHA256

    7480e4ba962590b3f14f4516861bb1aa80ffa08223a944ee6599cfe3b4e89bce

  • SHA512

    cb5b11e73fb06ffe3e1c4f91658899d82c8da6c6db9f3b3c126840bfb728b6ee862f8b45c903366ab37c2570baff6c298af41f4ffbd92e624579e8c4bc380104

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yeni sipariş pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\yeni sipariş pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oifnpghsFyo.exe"
      2⤵
        PID:2432
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oifnpghsFyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD73E.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:4140
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3628

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3628-148-0x000001EE1D860000-0x000001EE1D864000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4604-130-0x0000000000300000-0x00000000003D4000-memory.dmp
      Filesize

      848KB

      Download
    • memory/4604-131-0x0000000005300000-0x00000000058A4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4604-132-0x0000000004DF0000-0x0000000004E82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4604-133-0x0000000004D50000-0x00000000052F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4604-134-0x0000000004D80000-0x0000000004D8A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4604-135-0x0000000007290000-0x000000000732C000-memory.dmp
      Filesize

      624KB

      Download