Overview

overview

10

Static

static

Purchase O...df.exe

windows7_x64

3

Purchase O...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order 251177.pdf.exe

  • Size

    620KB

  • MD5

    de2cb62deae3547dc782d3229b4bdd52

  • SHA1

    ed48de586e986ec9cc8eef85c04b735872cb1af8

  • SHA256

    798757b5cf663c8a4f19074ad76705d66ed8295a4b66d44ee418971391c00c2d

  • SHA512

    c44fa8b9161ba539e6f2fe265641883005ac5b8372bd3a9fdabe60b75374cdf8049ed7d9e75b2283be5654b55887ceb95246f696e6abfa41217f4710da25aaeb

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order 251177.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order 251177.pdf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KFIPySp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp723.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1136
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order 251177.pdf.exe
      "{path}"
      2⤵
        PID:892
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order 251177.pdf.exe
        "{path}"
        2⤵
          PID:880
        • C:\Users\Admin\AppData\Local\Temp\Purchase Order 251177.pdf.exe
          "{path}"
          2⤵
            PID:1368
          • C:\Users\Admin\AppData\Local\Temp\Purchase Order 251177.pdf.exe
            "{path}"
            2⤵
              PID:1888
            • C:\Users\Admin\AppData\Local\Temp\Purchase Order 251177.pdf.exe
              "{path}"
              2⤵
                PID:1432

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp723.tmp
              Filesize

              1KB

              MD5

              37e4bda756e2fefd02e26028b30db298

              SHA1

              793be727c4674648f5e43808ee38de20fd7639e6

              SHA256

              1aaa453c67c4dd6f240596090c1cbb02a3f227090b8e1094b34a4243aab8fbf4

              SHA512

              2c1fe0b60a72fcfc1f2f25a95d17943b4652a6531d7ad88837602f68e3d070a6373fab52167d374ef5bc7cc6fcfd9feb9a633a34e5f695b6c3eebad47c60fa5f

              Download Submit
            • memory/1136-59-0x0000000000000000-mapping.dmp
              Download
            • memory/1464-54-0x00000000003A0000-0x0000000000440000-memory.dmp
              Filesize

              640KB

              Download
            • memory/1464-55-0x00000000754A1000-0x00000000754A3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-56-0x0000000000390000-0x00000000003A0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1464-57-0x00000000051F0000-0x0000000005240000-memory.dmp
              Filesize

              320KB

              Download
            • memory/1464-58-0x0000000005870000-0x00000000058E2000-memory.dmp
              Filesize

              456KB

              Download