65b7b3eb15b6563c277b66fedf41af12c9d3a1d909d41943089b8282103299ce

General

Target

New Orders- POB0.pdf.exe
Size

783KB
MD5

0f22eacae1316be03f6829946306b593
SHA1

3a3d3297ae8b1e96bc0fda3502a58d69447a2577
SHA256

b6cbbb6a53fb168a24f6a2f4bbf296547e5ece0314e2b9c21d6662af66a3ac4a
SHA512

3b74d936eb6faeab8ea2b37aee1bf90ee54e76a0e37f8ba08d2580908cb648d19da89720a51e5475298abfdab969a474f6145157e5b2662767f7a05795ab6e36

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Orders- POB0.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	New Orders- POB0.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4528 schtasks.exe

pid	process
4528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

New Orders- POB0.pdf.exe

pid	process
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe
4880	New Orders- POB0.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New Orders- POB0.pdf.exe

description pid process

Token: SeDebugPrivilege 4880 New Orders- POB0.pdf.exe

description	pid	process
Token: SeDebugPrivilege	4880	New Orders- POB0.pdf.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

New Orders- POB0.pdf.exe

description	pid	process	target process
PID 4880 wrote to memory of 4528	4880	New Orders- POB0.pdf.exe	schtasks.exe
PID 4880 wrote to memory of 4528	4880	New Orders- POB0.pdf.exe	schtasks.exe
PID 4880 wrote to memory of 4528	4880	New Orders- POB0.pdf.exe	schtasks.exe
PID 4880 wrote to memory of 4348	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4348	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4348	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 3392	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 3392	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 3392	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 3392	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 3392	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 3392	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 1056	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 1056	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 1056	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 1056	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 1056	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 1056	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4560	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4560	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4560	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4560	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4560	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 4560	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 2780	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 2780	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 2780	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 2780	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 2780	4880	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 4880 wrote to memory of 2780	4880	New Orders- POB0.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\New Orders- POB0.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New Orders- POB0.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA27A.tmp"
2⤵
- Creates scheduled task(s)
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:4348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:4560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA27A.tmp
Filesize
1KB

MD5
4aa7d4126cf14e812f5bb881ec9442d0

SHA1
753f1873b92987a4d9d47d14555b0022ee25431b

SHA256
5864ffbfd512ba8a57ef045a45be0bdbd76e0f49aae6425959a9154c453cd9c6

SHA512
014a3a18e8e1667c1324658c0a7a3f7b83283d9a50c2fd47c92ad420df152c8e93b6517be2d22cc5bea741edffea202a899edc95ef43f9ec2ef940f34a29c3b6

Download Submit
memory/1056-139-0x0000000000000000-mapping.dmp

Download
memory/2780-141-0x0000000000000000-mapping.dmp

Download
memory/3392-138-0x0000000000000000-mapping.dmp

Download
memory/4348-137-0x0000000000000000-mapping.dmp

Download
memory/4528-135-0x0000000000000000-mapping.dmp

Download
memory/4560-140-0x0000000000000000-mapping.dmp

Download
memory/4880-130-0x0000000000560000-0x000000000062A000-memory.dmp

Filesize
808KB

Download
memory/4880-131-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/4880-132-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/4880-133-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/4880-134-0x00000000089B0000-0x0000000008A4C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads