f568ce7db6d1771bef9736db48fabf56893363bd7fe8de4addb30243a1906e7a

General

Target

Quotation856784.Scan.pdf...exe
Size

518KB
MD5

1215485cb68eaf43a0c6ab2bc053760d
SHA1

2461af3628b32b1704d3ac64fe1fb2ccef0a4a26
SHA256

cb9867492e8957b7b53233a7d2b63bc713a429a756b56166440fb4ef7fa22acc
SHA512

908329b7b47bc714f8d99532c919ee1a0fef61c9ac33ab18abb19886b88e33152dbb6d95e915fb86f5b22558a8bf9d05d7950348f7c461f11b194bb16d0aa428

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2012 schtasks.exe

pid	process
2012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Quotation856784.Scan.pdf...exe

pid	process
324	Quotation856784.Scan.pdf...exe
324	Quotation856784.Scan.pdf...exe
324	Quotation856784.Scan.pdf...exe
324	Quotation856784.Scan.pdf...exe
324	Quotation856784.Scan.pdf...exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation856784.Scan.pdf...exe

description pid process

Token: SeDebugPrivilege 324 Quotation856784.Scan.pdf...exe

description	pid	process
Token: SeDebugPrivilege	324	Quotation856784.Scan.pdf...exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Quotation856784.Scan.pdf...exe

C:\Users\Admin\AppData\Local\Temp\Quotation856784.Scan.pdf...exe
"C:\Users\Admin\AppData\Local\Temp\Quotation856784.Scan.pdf...exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KciqvW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBB2.tmp"
2⤵
- Creates scheduled task(s)
PID:2012

C:\Users\Admin\AppData\Local\Temp\Quotation856784.Scan.pdf...exe
"{path}"
2⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\Quotation856784.Scan.pdf...exe
"{path}"
2⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\Quotation856784.Scan.pdf...exe
"{path}"
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\Quotation856784.Scan.pdf...exe
"{path}"
2⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\Quotation856784.Scan.pdf...exe
"{path}"
2⤵
PID:1956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBBB2.tmp
Filesize
1KB

MD5
8f42ff8cec49cd1b4d07fc07d2661059

SHA1
e1ef777ef32c6b77ae6cfe312e3aae193a685c44

SHA256
396317be7e7e5d064eb805623eddfdce6a3365bfa18136bd00dfc546dc0fde40

SHA512
4800b8ce5afde33ec00430473a669e0fdffc3d854b7b62165d599642e264d40258c00ddb30284c795933d1fd7835206937890f3dee19a324d7175e94e0f80156

Download Submit
memory/324-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/324-55-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-56-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 324 wrote to memory of 2012	324	Quotation856784.Scan.pdf...exe	schtasks.exe
PID 324 wrote to memory of 2012	324	Quotation856784.Scan.pdf...exe	schtasks.exe
PID 324 wrote to memory of 2012	324	Quotation856784.Scan.pdf...exe	schtasks.exe
PID 324 wrote to memory of 2012	324	Quotation856784.Scan.pdf...exe	schtasks.exe
PID 324 wrote to memory of 1752	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1752	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1752	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1752	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1708	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1708	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1708	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1708	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1968	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1968	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1968	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1968	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1948	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1948	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1948	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1948	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1956	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1956	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1956	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe
PID 324 wrote to memory of 1956	324	Quotation856784.Scan.pdf...exe	Quotation856784.Scan.pdf...exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads