Analysis
-
max time kernel
112s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:11
Static task
static1
Behavioral task
behavioral1
Sample
Order No. BCM190282_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order No. BCM190282_pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Order No. BCM190282_pdf.exe
-
Size
826KB
-
MD5
69e545d71bc4c5ce0e183ff07de3a461
-
SHA1
a9ad99446510ffeb6df4674e347759e75636620a
-
SHA256
8e4f6a245cfec457659dbed6b01543fa43cbdb623afa53185e27fa82ddb5a79d
-
SHA512
76e36c9586afa56f0ce68bca5a2413edbd7c97142362f9803c6b8fa336e81fff87c817c1f53c562c531b140c70f4d79758a91eea1ad7f845e01414186e485431
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Order No. BCM190282_pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Order No. BCM190282_pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Order No. BCM190282_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZrSnbJGc = "C:\\Users\\Admin\\AppData\\Roaming\\ZrSnbJGc.exe" Order No. BCM190282_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Order No. BCM190282_pdf.exedescription pid process target process PID 3164 wrote to memory of 1664 3164 Order No. BCM190282_pdf.exe wscript.exe PID 3164 wrote to memory of 1664 3164 Order No. BCM190282_pdf.exe wscript.exe PID 3164 wrote to memory of 1664 3164 Order No. BCM190282_pdf.exe wscript.exe PID 3164 wrote to memory of 2660 3164 Order No. BCM190282_pdf.exe Order No. BCM190282_pdf.exe PID 3164 wrote to memory of 2660 3164 Order No. BCM190282_pdf.exe Order No. BCM190282_pdf.exe PID 3164 wrote to memory of 2660 3164 Order No. BCM190282_pdf.exe Order No. BCM190282_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order No. BCM190282_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order No. BCM190282_pdf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\iUghIUAa.vbs2⤵
-
C:\Users\Admin\AppData\Local\Temp\Order No. BCM190282_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order No. BCM190282_pdf.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-134-0x0000000000000000-mapping.dmp
-
memory/2660-135-0x0000000000000000-mapping.dmp
-
memory/3164-131-0x0000000000F40000-0x0000000001014000-memory.dmpFilesize
848KB
-
memory/3164-132-0x0000000005260000-0x0000000005804000-memory.dmpFilesize
5.6MB
-
memory/3164-133-0x0000000004CB0000-0x0000000004D4C000-memory.dmpFilesize
624KB