Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 02:18
Static task
static1
Behavioral task
behavioral1
Sample
MT1893878746.PDF.IMG.exe
Resource
win7-20220901-en
General
-
Target
MT1893878746.PDF.IMG.exe
-
Size
1.2MB
-
MD5
b7babb9f64a9ecd894d100ce02f132fe
-
SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a
-
SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
-
SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
SSDEEP
12288:4v+bQYpRi8N69+d0qKu3rXbSIVfqNZSM1fpJwNDxGVwef3G1oMfqzpcfu2E:bpRbi+d0qPVGZTFfLweO1oMSzpKE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mt1893878746.pdf.img.exemt1893878746.pdf.img.exepid process 1936 mt1893878746.pdf.img.exe 2004 mt1893878746.pdf.img.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1744 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
MT1893878746.PDF.IMG.exemt1893878746.pdf.img.exepid process 680 MT1893878746.PDF.IMG.exe 680 MT1893878746.PDF.IMG.exe 1936 mt1893878746.pdf.img.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
MT1893878746.PDF.IMG.exemt1893878746.pdf.img.exedescription pid process target process PID 2016 set thread context of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 1936 set thread context of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1736 schtasks.exe 1596 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 764 powershell.exe 1664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
MT1893878746.PDF.IMG.exepowershell.exepowershell.exemt1893878746.pdf.img.exedescription pid process Token: SeDebugPrivilege 680 MT1893878746.PDF.IMG.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2004 mt1893878746.pdf.img.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
mt1893878746.pdf.img.exepid process 2004 mt1893878746.pdf.img.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
MT1893878746.PDF.IMG.exeMT1893878746.PDF.IMG.execmd.exemt1893878746.pdf.img.exedescription pid process target process PID 2016 wrote to memory of 764 2016 MT1893878746.PDF.IMG.exe powershell.exe PID 2016 wrote to memory of 764 2016 MT1893878746.PDF.IMG.exe powershell.exe PID 2016 wrote to memory of 764 2016 MT1893878746.PDF.IMG.exe powershell.exe PID 2016 wrote to memory of 764 2016 MT1893878746.PDF.IMG.exe powershell.exe PID 2016 wrote to memory of 1736 2016 MT1893878746.PDF.IMG.exe schtasks.exe PID 2016 wrote to memory of 1736 2016 MT1893878746.PDF.IMG.exe schtasks.exe PID 2016 wrote to memory of 1736 2016 MT1893878746.PDF.IMG.exe schtasks.exe PID 2016 wrote to memory of 1736 2016 MT1893878746.PDF.IMG.exe schtasks.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 2016 wrote to memory of 680 2016 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 680 wrote to memory of 1936 680 MT1893878746.PDF.IMG.exe mt1893878746.pdf.img.exe PID 680 wrote to memory of 1936 680 MT1893878746.PDF.IMG.exe mt1893878746.pdf.img.exe PID 680 wrote to memory of 1936 680 MT1893878746.PDF.IMG.exe mt1893878746.pdf.img.exe PID 680 wrote to memory of 1936 680 MT1893878746.PDF.IMG.exe mt1893878746.pdf.img.exe PID 680 wrote to memory of 1744 680 MT1893878746.PDF.IMG.exe cmd.exe PID 680 wrote to memory of 1744 680 MT1893878746.PDF.IMG.exe cmd.exe PID 680 wrote to memory of 1744 680 MT1893878746.PDF.IMG.exe cmd.exe PID 680 wrote to memory of 1744 680 MT1893878746.PDF.IMG.exe cmd.exe PID 1744 wrote to memory of 1016 1744 cmd.exe PING.EXE PID 1744 wrote to memory of 1016 1744 cmd.exe PING.EXE PID 1744 wrote to memory of 1016 1744 cmd.exe PING.EXE PID 1744 wrote to memory of 1016 1744 cmd.exe PING.EXE PID 1936 wrote to memory of 1664 1936 mt1893878746.pdf.img.exe powershell.exe PID 1936 wrote to memory of 1664 1936 mt1893878746.pdf.img.exe powershell.exe PID 1936 wrote to memory of 1664 1936 mt1893878746.pdf.img.exe powershell.exe PID 1936 wrote to memory of 1664 1936 mt1893878746.pdf.img.exe powershell.exe PID 1936 wrote to memory of 1596 1936 mt1893878746.pdf.img.exe schtasks.exe PID 1936 wrote to memory of 1596 1936 mt1893878746.pdf.img.exe schtasks.exe PID 1936 wrote to memory of 1596 1936 mt1893878746.pdf.img.exe schtasks.exe PID 1936 wrote to memory of 1596 1936 mt1893878746.pdf.img.exe schtasks.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 1936 wrote to memory of 2004 1936 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D1.tmp"2⤵
- Creates scheduled task(s)
PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3B4.tmp"4⤵
- Creates scheduled task(s)
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:1016
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1KB
MD58bec5227172f76c70b397abd47410dda
SHA11b1187b952d5cd90c74fa63e5a715ccc1c316327
SHA2569929544768ba0af441626cda4ab4b7b58013e48ed7c29ae0746216e51fb6d7e8
SHA51271854ad20e041c008d52fe885d38cedc641c51592fe61106a0283b389cf4755d9c071f1c1b43cecf0b31765f1d5908e7bd88e2dc06b1f823335197a76a1edf27
-
Filesize
1KB
MD58bec5227172f76c70b397abd47410dda
SHA11b1187b952d5cd90c74fa63e5a715ccc1c316327
SHA2569929544768ba0af441626cda4ab4b7b58013e48ed7c29ae0746216e51fb6d7e8
SHA51271854ad20e041c008d52fe885d38cedc641c51592fe61106a0283b389cf4755d9c071f1c1b43cecf0b31765f1d5908e7bd88e2dc06b1f823335197a76a1edf27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53adcbb4708004705f585864c704df0c2
SHA152ea085b2c2ead19ef278a8bc3d6861a169e72ce
SHA2566322d60c847f1d9c9809f474de81af43098ec972d0d42bade1bf10518b1f6b7a
SHA512fe86f192408715232363c9a3465fe0e47cbc297438f3f08ec781e6f14a9f4bddc4de5fa6e0a3266346e83161de616e5c381a793bf31005baafa45f34cc2a2ed2
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743